Several dangerous vulnerabilities discovered in SonicWall NetExtender VPN software

Attention to Users and Organizations!

Cybersecurity specialists have identified three critical vulnerabilities in SonicWall’s NetExtender VPN software designed for the Windows operating system. These vulnerabilities could allow attackers to perform various malicious actions on users’ computers.

SonicWall has released security updates to address these vulnerabilities and strongly recommends that all users update the NetExtender software to the latest version as soon as possible.

According to official information published by SonicWall, the following three critical vulnerabilities affect NetExtender for Windows versions 10.3.1 and earlier (both 32-bit and 64-bit):

1. CVE-2025-23008 — Improper Access Control

  • Severity Level (CVSS): 7.2 (High)

Description: A regular user may be able to modify program settings and compromise system security.

2. CVE-2025-23009 — Local Privilege Escalation

  • Severity Level (CVSS): 5.9

Description: A low-privileged user may be able to delete system files.

3. CVE-2025-23010 — Improper Handling of File Paths (Link Following)

  • Severity Level (CVSS): 6.5

Description: An attacker could access unauthorized files, disrupt system operations, or cause a denial of service.

Cybersecurity experts:

  • Robert Janzen (Copperleaf Technologies) — CVE-2025-23008
  • Hayden Wright — CVE-2025-23009 and CVE-2025-23010

Responsibly reported these vulnerabilities to SonicWall.

Which Systems Are Affected?

→ All versions of NetExtender for Windows 10.3.1 and earlier (both 32-bit and 64-bit)
→ These vulnerabilities do not affect NetExtender clients for Linux operating systems.

SonicWall Recommendations:

  • ✅ Update NetExtender to version 10.3.2 or later as soon as possible.
  • ✅ Download the update only from the official SonicWall technical support website.
  • ✅ Verify the authenticity of the installation file using digital signatures before installation.
  • ✅ If updating is not possible, apply network segmentation and enforce the principle of least privilege.

At this time, there are no reports of these vulnerabilities being exploited in real-world attacks. However, they could potentially cause significant harm to affected systems if used by attackers.

Remember!

Cybersecurity does not tolerate negligence. It is extremely important to eliminate vulnerabilities in critical applications like VPNs as quickly as possible.

A secure system is a system that is regularly updated!