Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Vulnerabilities in SonicWall NetExtender Could Allow Privilege Escalation and System Tampering, Patch Immediately!
Image
Published : 13/04/2025
- Last update: 11/04/2025
- Affected software: SonicWall NetExtender Windows Client Version 10.3.1 and earlier versions
- Type:
→ CWE-250: Execution with Unnecessary Privileges
→ CWE-59: Improper Link Resolution Before File Access ('Link Following')- CVE/CVSS
→ CVE-2025-23008: CVSS 7.2 (CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
→ CVE-2025-23009: CVSS 5.9 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
→ CVE-2025-23010: CVSS 6.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Sources
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0006
Risks
SonicWall NetExtender for Windows is a VPN client widely used by organisations to enable secure remote access. It is affected by multiple vulnerabilities that could allow attackers to manipulate system configurations, or cause system disruption.
Although there is currently no evidence of active exploitation, the vulnerabilities pose a high risk to confidentiality, integrity, and availability. These flaws could be leveraged by an attacker to disrupt operations, lead to unauthorized configuration changes, or open pathways for further compromise.
While exploitation requires local access, the low attack complexity and high impact make these vulnerabilities particularly concerning. Additionally, VPN clients serve as a critical gateway into internal systems, making it a particularly attractive and high-value target for attackers. Organisations relying on SonicWall NetExtender should act promptly to update to the latest patched version to mitigate the risk.
Description
CVE-2025-23008: SonicWall NetExtender Improper Privilege Management (High)
This vulnerability stems from improper privilege management in the Windows (32 and 64 bit) NetExtender client. It allows a low privileged attacker to modify configuration settings that should only be accessible to administrators. This flaw could be used to tamper with VPN configurations, posing significant risks to both security and connectivity.
CVE-2025-23009: SonicWall NetExtender Local Privilege Escalation (Medium)
A local attacker with low privileges can exploit this flaw to trigger arbitrary file deletions. An attacker could use this to remove critical system files or logs, effectively disrupting services or hiding traces of malicious activity.
CVE-2025-23010: SonicWall NetExtender Link Following Vulnerability (Medium)
This vulnerability involves improper link resolution before file access ('Link Following'). Attackers can abuse this vulnerability to redirect legitimate file operations to unintended locations. This can lead to overwriting or deletion of system-critical files or configuration data, resulting in system instability or denial of service. If the files are used for a security mechanism, then an attacker may be able to bypass the mechanism.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.cve.org/CVERecord?id=CVE-2025-23008
https://www.cve.org/CVERecord?id=CVE-2025-23009
https://www.cve.org/CVERecord?id=CVE-2025-23010