Vendor CVEs
Stormshield
All CVEs
37 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-27829 | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2025 | An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.35. If multicast streams are enabled on different interfaces, it may be possible to interrupt multicast traffic on some of these interfaces. That could result in a denial of the multicast routing… | ||
| CVE-2026-8474 | Med | 0.34 | 5.3 | 0.00 | Jun 1, 2026 | A vulnerability was discovered on Stormshield Network Security * 4.3.0 to 4.3.41, * 4.8.0 to 4.8.15, * 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the… | ||
| CVE-2024-37386 | Med | 0.27 | 4.2 | 0.00 | Jul 15, 2024 | An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Certain manipulations allow restarting in single-user mode despite the activation of secure boot. The following versions fix this: 4.3.27, 4.7.6, and 4.8.2. | ||
| CVE-2024-31946 | Med | 0.27 | 4.2 | 0.00 | Jul 15, 2024 | An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.41, 3.10.0 through 3.11.29, 4.0 through 4.3.24, and 4.4.0 through 4.7.4. A user who has access to the SNS with write access on the email alerts page has the ability to create alert email containing… | ||
| CVE-2025-48707 | 0.00 | — | 0.00 | Sep 25, 2025 | An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing. | |||
| CVE-2023-28616 | 0.00 | — | 0.00 | Dec 26, 2023 | An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sign or space character. The serverd process logs such passwords in cleartext, and… | |||
| CVE-2023-47091 | 0.00 | — | 0.01 | Dec 25, 2023 | An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2. An attacker can overflow the cookie threshold, making an IPsec connection impossible. | |||
| CVE-2023-34198 | 0.00 | — | 0.01 | Dec 25, 2023 | In Stormshield Network Security (SNS) 1.0.0 through 3.7.36 before 3.7.37, 3.8.0 through 3.11.24 before 3.11.25, 4.0.0 through 4.3.18 before 4.3.19, 4.4.0 through 4.6.5 before 4.6.6, and 4.7.0 before 4.7.1, the usage of a Network object created from an inactive DHCP interface in… | |||
| CVE-2023-41165 | 0.00 | — | 0.00 | Dec 25, 2023 | An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.38 before 3.7.39, 3.10.0 through 3.11.26 before 3.11.27, 4.0 through 4.3.21 before 4.3.22, and 4.4.0 through 4.6.8 before 4.6.9. An administrator with write access to the SNS firewall can configure a… | |||
| CVE-2023-47093 | 0.00 | — | 0.00 | Dec 20, 2023 | An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.21, 4.4.0 through 4.6.8, and 4.7.0. Sending a crafted ICMP packet may lead to a crash of the ASQ engine. | |||
| CVE-2023-41166 | 0.00 | — | 0.00 | Dec 20, 2023 | An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. It's possible to know if a specific user account exists on the SNS firewall by using remote access… | |||
| CVE-2023-26095 | 0.00 | — | 0.01 | Aug 28, 2023 | ASQ in Stormshield Network Security (SNS) 4.3.15 before 4.3.16 and 4.6.x before 4.6.3 allows a crash when analysing a crafted SIP packet. | |||
| CVE-2021-27932 | 0.00 | — | 0.00 | Aug 25, 2023 | Stormshield Network Security (SNS) VPN SSL Client 2.1.0 through 2.8.0 has Insecure Permissions. | |||
| CVE-2023-35800 | 0.00 | — | 0.00 | Jun 27, 2023 | Stormshield Endpoint Security Evolution 2.0.0 through 2.4.2 has Insecure Permissions. An ACL entry on the SES Evolution agent directory that contains the agent logs displayed in the GUI allows interactive users to read data, which could allow access to information reserved to… | |||
| CVE-2023-35799 | 0.00 | — | 0.00 | Jun 27, 2023 | Stormshield Endpoint Security Evolution 2.0.0 through 2.3.2 has Insecure Permissions. An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges. | |||
| CVE-2022-27812 | 0.00 | — | 0.01 | Aug 24, 2022 | Flooding SNS firewall versions 3.7.0 to 3.7.29, 3.11.0 to 3.11.17, 4.2.0 to 4.2.10, and 4.3.0 to 4.3.6 with specific forged traffic, can lead to SNS DoS. | |||
| CVE-2022-30279 | 0.00 | — | 0.01 | May 12, 2022 | An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.8. The event logging of the ASQ sofbus lacbus plugin triggers the dereferencing of a NULL pointer, leading to a crash of SNS. An attacker could exploit this vulnerability via forged sofbus lacbus… | |||
| CVE-2022-23989 | 0.00 | — | 0.01 | Mar 15, 2022 | In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to saturation of the loopback interface. This could result in the blocking of almost all… | |||
| CVE-2021-37613 | 0.00 | — | 0.00 | Feb 10, 2022 | Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service. | |||
| CVE-2021-3398 | 0.00 | — | 0.01 | Feb 10, 2022 | Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component. | |||
| CVE-2021-31617 | 0.00 | — | 0.02 | Jan 31, 2022 | In ASQ in Stormshield Network Security (SNS) 1.0.0 through 2.7.8, 2.8.0 through 2.16.0, 3.0.0 through 3.7.20, 3.8.0 through 3.11.8, and 4.0.1 through 4.2.2, mishandling of memory management can lead to remote code execution. | |||
| CVE-2021-28962 | 0.00 | — | 0.01 | Jan 31, 2022 | Stormshield Network Security (SNS) before 4.2.2 allows a read-only administrator to gain privileges via CLI commands. | |||
| CVE-2021-45885 | 0.00 | — | 0.01 | Dec 29, 2021 | An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password. | |||
| CVE-2021-45090 | 0.00 | — | 0.03 | Dec 21, 2021 | Stormshield Endpoint Security before 2.1.2 allows remote code execution. | |||
| CVE-2021-45089 | 0.00 | — | 0.00 | Dec 21, 2021 | Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Control. | |||
| CVE-2021-45091 | 0.00 | — | 0.01 | Dec 21, 2021 | Stormshield Endpoint Security from 2.1.0 to 2.1.1 has Incorrect Access Control. | |||
| CVE-2021-31221 | 0.00 | — | 0.00 | Jul 13, 2021 | SES Evolution before 2.1.0 allows deleting some parts of a security policy by leveraging access to a computer having the administration console installed. | |||
| CVE-2021-31222 | 0.00 | — | 0.00 | Jul 13, 2021 | SES Evolution before 2.1.0 allows updating some parts of a security policy by leveraging access to a computer having the administration console installed. | |||
| CVE-2021-31223 | 0.00 | — | 0.01 | Jul 13, 2021 | SES Evolution before 2.1.0 allows reading some parts of a security policy by leveraging access to a computer having the administration console installed. | |||
| CVE-2021-31220 | 0.00 | — | 0.00 | Jul 13, 2021 | SES Evolution before 2.1.0 allows modifying security policies by leveraging access of a user having read-only access to security policies. | |||
| CVE-2021-31224 | 0.00 | — | 0.00 | Jul 13, 2021 | SES Evolution before 2.1.0 allows duplicating an existing security policy by leveraging access of a user having read-only access to security policies. | |||
| CVE-2021-35957 | 0.00 | — | 0.00 | Jul 13, 2021 | Stormshield Endpoint Security Evolution 2.0.0 through 2.0.2 does not accomplish the intended defense against local administrators who can replace the Visual C++ runtime DLLs (in %WINDIR%\system32) with malicious ones. | |||
| CVE-2021-31225 | 0.00 | — | 0.00 | Jul 13, 2021 | SES Evolution before 2.1.0 allows deleting some resources not currently in use by any security policy by leveraging access to a computer having the administration console installed. | |||
| CVE-2021-27506 | 0.00 | — | 0.01 | Mar 19, 2021 | The ClamAV Engine (version 0.103.1 and below) component embedded in Storsmshield Network Security (SNS) is subject to DoS in case of parsing of malformed png files. This affect Netasq versions 9.1.0 to 9.1.11 and SNS versions 1.0.0 to 4.2.0. This issue is fixed in SNS 3.7.19,… | |||
| CVE-2021-3384 | 0.00 | — | 0.01 | Mar 2, 2021 | A vulnerability in Stormshield Network Security could allow an attacker to trigger a protection related to ARP/NDP tables management, which would temporarily prevent the system to contact new hosts via IPv4 or IPv6. This affects versions 2.0.0 to 2.7.7, 2.8.0 to 2.16.0, 3.0.0 to… | |||
| CVE-2020-8430 | 0.00 | — | 0.01 | Apr 13, 2020 | Stormshield Network Security 310 3.7.10 devices have an auth/lang.html?rurl= Open Redirect vulnerability on the captive portal. For example, the attacker can use rurl=//example.com instead of rurl=https://example.com in the query string. | |||
| CVE-2018-20850 | 0.00 | — | 0.00 | Jul 4, 2019 | Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server. |
- risk 0.47cvss 7.3epss 0.00
An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.35. If multicast streams are enabled on different interfaces, it may be possible to interrupt multicast traffic on some of these interfaces. That could result in a denial of the multicast routing…
- risk 0.34cvss 5.3epss 0.00
A vulnerability was discovered on Stormshield Network Security * 4.3.0 to 4.3.41, * 4.8.0 to 4.8.15, * 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the…
- risk 0.27cvss 4.2epss 0.00
An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Certain manipulations allow restarting in single-user mode despite the activation of secure boot. The following versions fix this: 4.3.27, 4.7.6, and 4.8.2.
- risk 0.27cvss 4.2epss 0.00
An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.41, 3.10.0 through 3.11.29, 4.0 through 4.3.24, and 4.4.0 through 4.7.4. A user who has access to the SNS with write access on the email alerts page has the ability to create alert email containing…
- CVE-2025-48707Sep 25, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing.
- CVE-2023-28616Dec 26, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sign or space character. The serverd process logs such passwords in cleartext, and…
- CVE-2023-47091Dec 25, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2. An attacker can overflow the cookie threshold, making an IPsec connection impossible.
- CVE-2023-34198Dec 25, 2023risk 0.00cvss —epss 0.01
In Stormshield Network Security (SNS) 1.0.0 through 3.7.36 before 3.7.37, 3.8.0 through 3.11.24 before 3.11.25, 4.0.0 through 4.3.18 before 4.3.19, 4.4.0 through 4.6.5 before 4.6.6, and 4.7.0 before 4.7.1, the usage of a Network object created from an inactive DHCP interface in…
- CVE-2023-41165Dec 25, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.38 before 3.7.39, 3.10.0 through 3.11.26 before 3.11.27, 4.0 through 4.3.21 before 4.3.22, and 4.4.0 through 4.6.8 before 4.6.9. An administrator with write access to the SNS firewall can configure a…
- CVE-2023-47093Dec 20, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.21, 4.4.0 through 4.6.8, and 4.7.0. Sending a crafted ICMP packet may lead to a crash of the ASQ engine.
- CVE-2023-41166Dec 20, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. It's possible to know if a specific user account exists on the SNS firewall by using remote access…
- CVE-2023-26095Aug 28, 2023risk 0.00cvss —epss 0.01
ASQ in Stormshield Network Security (SNS) 4.3.15 before 4.3.16 and 4.6.x before 4.6.3 allows a crash when analysing a crafted SIP packet.
- CVE-2021-27932Aug 25, 2023risk 0.00cvss —epss 0.00
Stormshield Network Security (SNS) VPN SSL Client 2.1.0 through 2.8.0 has Insecure Permissions.
- CVE-2023-35800Jun 27, 2023risk 0.00cvss —epss 0.00
Stormshield Endpoint Security Evolution 2.0.0 through 2.4.2 has Insecure Permissions. An ACL entry on the SES Evolution agent directory that contains the agent logs displayed in the GUI allows interactive users to read data, which could allow access to information reserved to…
- CVE-2023-35799Jun 27, 2023risk 0.00cvss —epss 0.00
Stormshield Endpoint Security Evolution 2.0.0 through 2.3.2 has Insecure Permissions. An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges.
- CVE-2022-27812Aug 24, 2022risk 0.00cvss —epss 0.01
Flooding SNS firewall versions 3.7.0 to 3.7.29, 3.11.0 to 3.11.17, 4.2.0 to 4.2.10, and 4.3.0 to 4.3.6 with specific forged traffic, can lead to SNS DoS.
- CVE-2022-30279May 12, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.8. The event logging of the ASQ sofbus lacbus plugin triggers the dereferencing of a NULL pointer, leading to a crash of SNS. An attacker could exploit this vulnerability via forged sofbus lacbus…
- CVE-2022-23989Mar 15, 2022risk 0.00cvss —epss 0.01
In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to saturation of the loopback interface. This could result in the blocking of almost all…
- CVE-2021-37613Feb 10, 2022risk 0.00cvss —epss 0.00
Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service.
- CVE-2021-3398Feb 10, 2022risk 0.00cvss —epss 0.01
Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component.
- CVE-2021-31617Jan 31, 2022risk 0.00cvss —epss 0.02
In ASQ in Stormshield Network Security (SNS) 1.0.0 through 2.7.8, 2.8.0 through 2.16.0, 3.0.0 through 3.7.20, 3.8.0 through 3.11.8, and 4.0.1 through 4.2.2, mishandling of memory management can lead to remote code execution.
- CVE-2021-28962Jan 31, 2022risk 0.00cvss —epss 0.01
Stormshield Network Security (SNS) before 4.2.2 allows a read-only administrator to gain privileges via CLI commands.
- CVE-2021-45885Dec 29, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.
- CVE-2021-45090Dec 21, 2021risk 0.00cvss —epss 0.03
Stormshield Endpoint Security before 2.1.2 allows remote code execution.
- CVE-2021-45089Dec 21, 2021risk 0.00cvss —epss 0.00
Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Control.
- CVE-2021-45091Dec 21, 2021risk 0.00cvss —epss 0.01
Stormshield Endpoint Security from 2.1.0 to 2.1.1 has Incorrect Access Control.
- CVE-2021-31221Jul 13, 2021risk 0.00cvss —epss 0.00
SES Evolution before 2.1.0 allows deleting some parts of a security policy by leveraging access to a computer having the administration console installed.
- CVE-2021-31222Jul 13, 2021risk 0.00cvss —epss 0.00
SES Evolution before 2.1.0 allows updating some parts of a security policy by leveraging access to a computer having the administration console installed.
- CVE-2021-31223Jul 13, 2021risk 0.00cvss —epss 0.01
SES Evolution before 2.1.0 allows reading some parts of a security policy by leveraging access to a computer having the administration console installed.
- CVE-2021-31220Jul 13, 2021risk 0.00cvss —epss 0.00
SES Evolution before 2.1.0 allows modifying security policies by leveraging access of a user having read-only access to security policies.
- CVE-2021-31224Jul 13, 2021risk 0.00cvss —epss 0.00
SES Evolution before 2.1.0 allows duplicating an existing security policy by leveraging access of a user having read-only access to security policies.
- CVE-2021-35957Jul 13, 2021risk 0.00cvss —epss 0.00
Stormshield Endpoint Security Evolution 2.0.0 through 2.0.2 does not accomplish the intended defense against local administrators who can replace the Visual C++ runtime DLLs (in %WINDIR%\system32) with malicious ones.
- CVE-2021-31225Jul 13, 2021risk 0.00cvss —epss 0.00
SES Evolution before 2.1.0 allows deleting some resources not currently in use by any security policy by leveraging access to a computer having the administration console installed.
- CVE-2021-27506Mar 19, 2021risk 0.00cvss —epss 0.01
The ClamAV Engine (version 0.103.1 and below) component embedded in Storsmshield Network Security (SNS) is subject to DoS in case of parsing of malformed png files. This affect Netasq versions 9.1.0 to 9.1.11 and SNS versions 1.0.0 to 4.2.0. This issue is fixed in SNS 3.7.19,…
- CVE-2021-3384Mar 2, 2021risk 0.00cvss —epss 0.01
A vulnerability in Stormshield Network Security could allow an attacker to trigger a protection related to ARP/NDP tables management, which would temporarily prevent the system to contact new hosts via IPv4 or IPv6. This affects versions 2.0.0 to 2.7.7, 2.8.0 to 2.16.0, 3.0.0 to…
- CVE-2020-8430Apr 13, 2020risk 0.00cvss —epss 0.01
Stormshield Network Security 310 3.7.10 devices have an auth/lang.html?rurl= Open Redirect vulnerability on the captive portal. For example, the attacker can use rurl=//example.com instead of rurl=https://example.com in the query string.
- CVE-2018-20850Jul 4, 2019risk 0.00cvss —epss 0.00
Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server.