CyberSecurity news

FlagThis

info@thehackernews.com (The@The Hacker News //

SonicWall SMA Appliances Exploited Since January 2025

Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.

This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes.

CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks.
Original img attribution: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu676TAq_kWF2enrd8rG3Y9miqeP061FnY-bWnXgffFmUKlQuWvJ97SOBWVaNlzqvUmcrxNsDTfjpvmbouJ8bbyZiEvdD0mf8aDbM9NL1-xQDKVuDQeDsjV2amS-LyYCilGYB60CylRH9OVRnAXK5IHuk9OGCMX2m8m4rzM_W8_EF5cJLwG0csarJerBLW/s728-rw-e365/sonic.jpg
ImgSrc: blogger.googleu

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
  • Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • Arctic Wolf: On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • securityaffairs.com: Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.
  • The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
  • BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
  • www.scworld.com: Attacks involving old SonicWall SMA100 vulnerability underway
  • The DefendOps Diaries: CISA Flags Critical SonicWall Vulnerabilities: Urgent Mitigation Required
  • arcticwolf.com: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • arcticwolf.com: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • securityaffairs.com: Security Affairs newsletter reports attackers exploited SonicWall SMA appliances since January 2025
  • www.helpnetsecurity.com: Help Net Security details Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • BleepingComputer: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
Classification: