CyberSecurity news

FlagThis - #sma100

@cyberscoop.com //

SonicWall Customers Confronting Resurgence of Exploited Vulnerabilities - SonicWall has addressed actively exploited vulnerabilities in its SMA 100 appliances that could allow remote code execution if chained, urging users to update to the latest version.
SonicWall customers are facing a resurgence of actively exploited vulnerabilities, posing a significant threat to their network security. The company recently addressed three flaws in its Secure Mobile Access (SMA) 100 appliances, including a potential zero-day vulnerability. These vulnerabilities can be chained together to achieve remote code execution, potentially granting attackers root-level access to affected systems. The network security vendor has been making frequent appearances on CISA's Known Exploited Vulnerabilities catalog.

Multiple security flaws in SMA 100 Series devices have been actively exploited recently. The disclosed vulnerabilities, identified as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, affect SMA 100 appliances and could enable attackers to run code as root. Specifically, CVE-2025-32819 allows for arbitrary file deletion, potentially resetting the device to factory settings, while CVE-2025-32820 enables overwriting system files, potentially causing denial-of-service. CVE-2025-32821 can lead to shell command injections, further facilitating remote code execution.

SonicWall has released patches for these vulnerabilities in version 10.2.1.15-81sv. Security researchers at Rapid7 discovered the vulnerabilities and worked with SonicWall to validate the effectiveness of the patches before public disclosure. Users of SMA 100 series devices, including SMA 200, 210, 400, 410, and 500v, are strongly advised to update their systems to the latest version to mitigate the risk of exploitation. CISA has added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog and urges federal agencies to remediate these issues immediately.

Recommended read:
References :
Pierluigi Paganini@Security Affairs //

SonicWall Patches Critical VPN Flaws Enabling RCE - SonicWall has addressed multiple vulnerabilities in its Secure Mobile Access (SMA) 100 series appliances, including a potential zero-day, that could be chained by remote attackers to execute arbitrary code.
SonicWall has released patches to address three significant vulnerabilities impacting its Secure Mobile Access (SMA) 100 series appliances. These flaws, including a potential zero-day, could be chained together by remote attackers to achieve remote code execution. The vulnerabilities affect SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, highlighting the importance of timely updates to prevent exploitation. Cybersecurity experts are urging administrators to apply the patches immediately to mitigate the risk of unauthorized access and potential system compromise.

The most serious of the vulnerabilities, tracked as CVE-2025-32819, is a high-severity arbitrary file delete bug. This flaw could allow attackers to bypass path traversal checks, enabling arbitrary file deletion and potentially leading to reboots to factory settings. SonicWall noted that this vulnerability may have been exploited in the wild, based on known indicators of compromise. Additionally, CVE-2025-32820, another high-severity vulnerability, could facilitate system overwriting, resulting in a denial-of-service condition. The third vulnerability, CVE-2025-32821, is a medium-severity bug that could enable shell command injections, potentially leading to root-level remote code execution.

The fixes are available in firmware version 10.2.1.15-81sv and higher. SonicWall is strongly advising all users of the SMA 100 series products to update their appliances to the latest firmware to protect their systems from these critical vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has also added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog.

Recommended read:
References :
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • circl: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • Help Net Security: HelpNetSecurity details SonicWall SMA100 vulnerability exploited in the wild
  • Rapid7 Cybersecurity Blog: Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/
  • Caitlin Condon: Today, disclosed 3 new vulnerabilities in SonicWall SMA-100 series appliances, one of which we believe may have been used in the wild.
  • vulnerability.circl.lu: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure: 🔗 It's exploited. 🔗 Bundle with all the vulnerabilities and the sighting
  • securityaffairs.com: SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code
  • MSSP feed for Latest: SonicWall Patches Critical Vulnerabilities in SMA 100 Series Appliances
  • www.scworld.com: SonicWall addresses trio of SMA 100 flaws
  • socradar.io: Severe Vulnerabilities in Cisco & SonicWall Expose Systems to RCE, DoS, and More: Patch Now
  • Threats | CyberScoop: SonicWall customers confront resurgence of actively exploited vulnerabilities
  • cyberscoop.com: The network security device vendor is making a regular appearance on CISA’s known exploited vulnerabilities catalog. Unlike its competitors, SonicWall hasn’t signed the secure-by-design pledge.
  • bsky.app: New SonicWall SMA zero-day. Looks like a post-compromise exploit for EoP
Ddos@securityonline.info //

SonicWall Patches VPN Flaw Exploited in Attacks - SonicWall has released patches to address three security flaws affecting SMA 100 Secure Mobile Access (SMA) appliances that could result in remote code execution.
SonicWall has released critical security updates to address three vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products. The vulnerabilities, discovered by Rapid7 cybersecurity researcher Ryan Emmons, impact SMA 200, 210, 400, 410, and 500v devices running firmware version 10.2.1.14-75sv and earlier. The most severe of these flaws, CVE-2025-32819, has a CVSS score of 8.8 and could allow a remote authenticated attacker with SSL-VPN user privileges to bypass path traversal checks and delete arbitrary files, potentially leading to a reboot to factory default settings. SonicWall urges users to upgrade to the fixed release version 10.2.1.15-81sv and higher immediately.

Additionally, the advisory outlines CVE-2025-32820, a post-authentication SSLVPN user Path Traversal vulnerability with a CVSS score of 8.3. This flaw enables a remote authenticated attacker with SSLVPN user privileges to inject a path traversal sequence, making any directory on the SMA appliance writable. A third vulnerability, CVE-2025-32821, carries a CVSS score of 6.7 and allows a remote authenticated attacker with SSLVPN admin privileges to inject shell command arguments to upload a file on the appliance. Security researchers suggest that these vulnerabilities can be chained together by attackers to gain remote code execution as root and compromise vulnerable instances.

As a workaround and additional safety measure, SonicWall recommends enabling multifactor authentication (MFA) on the devices, enabling WAF on SMA100 and resetting the passwords for any users who may have logged into the device via the web interface. The cybersecurity company also noted that CVE-2025-32819 may have been exploited in the wild as a zero-day based on known indicators of compromise. Users are advised to update their instances to the latest version for optimal protection.

Recommended read:
References :
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks
  • securityonline.info: SonicWall has released a security advisory detailing multiple vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products.
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks [...]
Ddos@securityonline.info //

SonicWall SMA100 VPN Vulnerabilities Under Active Exploitation - SonicWall warned customers about active exploitation of vulnerabilities affecting its Secure Mobile Access (SMA) appliances.
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.

Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.

The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.

Recommended read:
References :
  • The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
  • BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
  • securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
  • Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
  • www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • securityonline.info: SecurityOnline
  • Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
  • MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
  • bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
  • www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
  • securityonline.info: SonicWall Issues Patch for SSRF Vulner
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
  • hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
  • cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
  • Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • RedPacket Security: SonicWall Products Multiple Vulnerabilities
  • thecyberexpress.com: CISA Adds Two Known Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • Cyber Security News: SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities- CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.
  • bsky.app: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
info@thehackernews.com (The@The Hacker News //

SonicWall Command Injection Flaw Added to KEV - CISA added CVE-2021-20035, a SonicWall SMA100 Appliance flaw, to its Known Exploited Vulnerabilities (KEV) catalog, allowing remote attackers to execute arbitrary code.
CISA has added CVE-2021-20035, a high-severity vulnerability affecting SonicWall SMA100 series appliances, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, an OS command injection vulnerability in the SMA100 management interface, allows remote attackers to execute arbitrary code. The Cybersecurity and Infrastructure Security Agency (CISA) issued the alert on April 16, 2025, based on evidence of active exploitation in the wild. SonicWall originally disclosed the vulnerability in September 2021, and updated the advisory noting it has been reportedly exploited in the wild, and has updated the summary and revised the CVSS score to 7.2.

The vulnerability, tracked as CVE-2021-20035, stems from improper neutralization of special elements in the SMA100 management interface. Specifically, a remote authenticated attacker can inject arbitrary commands as a 'nobody' user, potentially leading to code execution. The affected SonicWall devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v appliances running specific firmware versions.

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by May 7, 2025, to protect their networks from this actively exploited vulnerability. Remediation steps include applying the latest security patches provided by SonicWall to all affected SMA100 appliances and restricting management interface access to trusted networks. CISA strongly advises all organizations, including state, local, tribal, territorial governments, and private sector entities, to prioritize remediation of this cataloged vulnerability to enhance their cybersecurity posture.

Recommended read:
References :
  • chemical-facility-security-news.blogspot.com: CISA Adds SonicWall Vulnerability to KEV Catalog – 4-16-25
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: Details on the exploitation of the vulnerability
  • Cyber Security News: CISA Alerts on Exploited SonicWall Command Injection Vulnerabilityâ€
  • gbhackers.com: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • BleepingComputer: On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability. [...]
  • gbhackers.com: GBHackers: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • securityonline.info: CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
  • The DefendOps Diaries: CISA flags critical SonicWall vulnerabilities: Urgent mitigation required to prevent cyber attacks
  • www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • arcticwolf.com: On 15 April 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
  • BleepingComputer: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
  • bsky.app: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
  • www.scworld.com: Cybersecurity Dive reports that active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw
  • www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • securityaffairs.com: CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
  • Help Net Security: CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers.
  • arcticwolf.com: Details the credential access campaign targeting SonicWall SMA devices and its potential link to CVE-2021-20035 exploitation.
  • securityaffairs.com: Attackers exploited SonicWall SMA appliances since January 2025
  • securityaffairs.com: Attackers exploited SonicWall SMA appliances since January 2025
  • www.bleepingcomputer.com: SonicWall SMA VPN devices targeted in attacks since January

Posts

Blogs

Research Tools