CyberSecurity news
FlagThis - #cve-2021-20035
|
Krista Lyons@OpenVPN Blog
//
References:
Blog
, OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.
Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates. Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) 100 series appliances is under active exploitation, according to recent reports. The vulnerability, which stems from improper neutralization of special elements in the SMA100 management interface, allows attackers to remotely inject arbitrary commands, potentially leading to code execution. This flaw affects SMA100 devices running older firmware, prompting immediate concern and action from cybersecurity experts. The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency for federal agencies and other organizations to address the issue.
Exploitation of this older SonicWall SMA100 vulnerability has been underway since January 2025, with cybersecurity firm Arctic Wolf tracking a campaign specifically targeting VPN credential access on SonicWall SMA devices. This campaign is believed to be directly related to the CVE-2021-20035 vulnerability. SonicWall itself has acknowledged the active exploitation, with a spokesperson stating that they are actively investigating the scope and details of the attacks. This revelation underscores the increasing trend of threat actors targeting edge devices, such as VPNs and firewalls, to gain unauthorized access. Given the active exploitation, CISA has mandated that federal civilian executive branch agencies patch their SonicWall appliances or discontinue their use if mitigations cannot be applied by May 7. SonicWall urges customers to follow mitigation steps outlined in its advisory and upgrade to the latest firmware as a best practice. As SonicWall vulnerabilities have been a popular target for threat actors in recent years, the Cybersecurity Dive notes patching and timely firmware updates are key to protection. Recommended read:
References :
Iain Thomson@The Register - Security
//
References:
DataBreaches.Net
, The Register - Security
,
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.
The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access. CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.
This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes. CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
CISA has added CVE-2021-20035, a high-severity vulnerability affecting SonicWall SMA100 series appliances, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, an OS command injection vulnerability in the SMA100 management interface, allows remote attackers to execute arbitrary code. The Cybersecurity and Infrastructure Security Agency (CISA) issued the alert on April 16, 2025, based on evidence of active exploitation in the wild. SonicWall originally disclosed the vulnerability in September 2021, and updated the advisory noting it has been reportedly exploited in the wild, and has updated the summary and revised the CVSS score to 7.2.
The vulnerability, tracked as CVE-2021-20035, stems from improper neutralization of special elements in the SMA100 management interface. Specifically, a remote authenticated attacker can inject arbitrary commands as a 'nobody' user, potentially leading to code execution. The affected SonicWall devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v appliances running specific firmware versions. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by May 7, 2025, to protect their networks from this actively exploited vulnerability. Remediation steps include applying the latest security patches provided by SonicWall to all affected SMA100 appliances and restricting management interface access to trusted networks. CISA strongly advises all organizations, including state, local, tribal, territorial governments, and private sector entities, to prioritize remediation of this cataloged vulnerability to enhance their cybersecurity posture. Recommended read:
References :
|