CyberSecurity news

FlagThis - #vpn

@cyberscoop.com //

SonicWall Customers Confronting Resurgence of Exploited Vulnerabilities - SonicWall has addressed actively exploited vulnerabilities in its SMA 100 appliances that could allow remote code execution if chained, urging users to update to the latest version.
SonicWall customers are facing a resurgence of actively exploited vulnerabilities, posing a significant threat to their network security. The company recently addressed three flaws in its Secure Mobile Access (SMA) 100 appliances, including a potential zero-day vulnerability. These vulnerabilities can be chained together to achieve remote code execution, potentially granting attackers root-level access to affected systems. The network security vendor has been making frequent appearances on CISA's Known Exploited Vulnerabilities catalog.

Multiple security flaws in SMA 100 Series devices have been actively exploited recently. The disclosed vulnerabilities, identified as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, affect SMA 100 appliances and could enable attackers to run code as root. Specifically, CVE-2025-32819 allows for arbitrary file deletion, potentially resetting the device to factory settings, while CVE-2025-32820 enables overwriting system files, potentially causing denial-of-service. CVE-2025-32821 can lead to shell command injections, further facilitating remote code execution.

SonicWall has released patches for these vulnerabilities in version 10.2.1.15-81sv. Security researchers at Rapid7 discovered the vulnerabilities and worked with SonicWall to validate the effectiveness of the patches before public disclosure. Users of SMA 100 series devices, including SMA 200, 210, 400, 410, and 500v, are strongly advised to update their systems to the latest version to mitigate the risk of exploitation. CISA has added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog and urges federal agencies to remediate these issues immediately.

Recommended read:
References :
Pierluigi Paganini@Security Affairs //

SonicWall Patches Critical VPN Flaws Enabling RCE - SonicWall has addressed multiple vulnerabilities in its Secure Mobile Access (SMA) 100 series appliances, including a potential zero-day, that could be chained by remote attackers to execute arbitrary code.
SonicWall has released patches to address three significant vulnerabilities impacting its Secure Mobile Access (SMA) 100 series appliances. These flaws, including a potential zero-day, could be chained together by remote attackers to achieve remote code execution. The vulnerabilities affect SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, highlighting the importance of timely updates to prevent exploitation. Cybersecurity experts are urging administrators to apply the patches immediately to mitigate the risk of unauthorized access and potential system compromise.

The most serious of the vulnerabilities, tracked as CVE-2025-32819, is a high-severity arbitrary file delete bug. This flaw could allow attackers to bypass path traversal checks, enabling arbitrary file deletion and potentially leading to reboots to factory settings. SonicWall noted that this vulnerability may have been exploited in the wild, based on known indicators of compromise. Additionally, CVE-2025-32820, another high-severity vulnerability, could facilitate system overwriting, resulting in a denial-of-service condition. The third vulnerability, CVE-2025-32821, is a medium-severity bug that could enable shell command injections, potentially leading to root-level remote code execution.

The fixes are available in firmware version 10.2.1.15-81sv and higher. SonicWall is strongly advising all users of the SMA 100 series products to update their appliances to the latest firmware to protect their systems from these critical vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has also added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog.

Recommended read:
References :
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • circl: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • Help Net Security: HelpNetSecurity details SonicWall SMA100 vulnerability exploited in the wild
  • Rapid7 Cybersecurity Blog: Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/
  • Caitlin Condon: Today, disclosed 3 new vulnerabilities in SonicWall SMA-100 series appliances, one of which we believe may have been used in the wild.
  • vulnerability.circl.lu: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure: 🔗 It's exploited. 🔗 Bundle with all the vulnerabilities and the sighting
  • securityaffairs.com: SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code
  • MSSP feed for Latest: SonicWall Patches Critical Vulnerabilities in SMA 100 Series Appliances
  • www.scworld.com: SonicWall addresses trio of SMA 100 flaws
  • socradar.io: Severe Vulnerabilities in Cisco & SonicWall Expose Systems to RCE, DoS, and More: Patch Now
  • Threats | CyberScoop: SonicWall customers confront resurgence of actively exploited vulnerabilities
  • cyberscoop.com: The network security device vendor is making a regular appearance on CISA’s known exploited vulnerabilities catalog. Unlike its competitors, SonicWall hasn’t signed the secure-by-design pledge.
  • bsky.app: New SonicWall SMA zero-day. Looks like a post-compromise exploit for EoP
Ddos@securityonline.info //

SonicWall Patches VPN Flaw Exploited in Attacks - SonicWall has released patches to address three security flaws affecting SMA 100 Secure Mobile Access (SMA) appliances that could result in remote code execution.
SonicWall has released critical security updates to address three vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products. The vulnerabilities, discovered by Rapid7 cybersecurity researcher Ryan Emmons, impact SMA 200, 210, 400, 410, and 500v devices running firmware version 10.2.1.14-75sv and earlier. The most severe of these flaws, CVE-2025-32819, has a CVSS score of 8.8 and could allow a remote authenticated attacker with SSL-VPN user privileges to bypass path traversal checks and delete arbitrary files, potentially leading to a reboot to factory default settings. SonicWall urges users to upgrade to the fixed release version 10.2.1.15-81sv and higher immediately.

Additionally, the advisory outlines CVE-2025-32820, a post-authentication SSLVPN user Path Traversal vulnerability with a CVSS score of 8.3. This flaw enables a remote authenticated attacker with SSLVPN user privileges to inject a path traversal sequence, making any directory on the SMA appliance writable. A third vulnerability, CVE-2025-32821, carries a CVSS score of 6.7 and allows a remote authenticated attacker with SSLVPN admin privileges to inject shell command arguments to upload a file on the appliance. Security researchers suggest that these vulnerabilities can be chained together by attackers to gain remote code execution as root and compromise vulnerable instances.

As a workaround and additional safety measure, SonicWall recommends enabling multifactor authentication (MFA) on the devices, enabling WAF on SMA100 and resetting the passwords for any users who may have logged into the device via the web interface. The cybersecurity company also noted that CVE-2025-32819 may have been exploited in the wild as a zero-day based on known indicators of compromise. Users are advised to update their instances to the latest version for optimal protection.

Recommended read:
References :
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks
  • securityonline.info: SonicWall has released a security advisory detailing multiple vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products.
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks [...]
info@thehackernews.com (The@The Hacker News //

Iranian Hackers Target Middle East CNI in Long Term Attack - An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East.
A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.

The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC.

Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods.

Recommended read:
References :
  • The Hacker News: An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
  • cybersecuritynews.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • gbhackers.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • securityonline.info: Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into The post appeared first on .
  • gbhackers.com: A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.
  • www.scworld.com: Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack
  • industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Industrial Cyber: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
Ddos@securityonline.info //

SonicWall SMA100 VPN Vulnerabilities Under Active Exploitation - SonicWall warned customers about active exploitation of vulnerabilities affecting its Secure Mobile Access (SMA) appliances.
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.

Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.

The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.

Recommended read:
References :
  • The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
  • BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
  • securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
  • Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
  • www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • securityonline.info: SecurityOnline
  • Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
  • MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
  • bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
  • www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
  • securityonline.info: SonicWall Issues Patch for SSRF Vulner
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
  • hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
  • cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
  • Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • RedPacket Security: SonicWall Products Multiple Vulnerabilities
  • thecyberexpress.com: CISA Adds Two Known Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • Cyber Security News: SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities- CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.
  • bsky.app: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
Krista Lyons@OpenVPN Blog //

Fortinet Devices Under Attack via Multiple Vulnerabilities - Multiple attacks targetted at Fortinet products are being observed and CISA added SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
References: Blog , OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.

Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates.

Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce.

Recommended read:
References :
  • Blog: Threat actors using new technique to exploit 2023 FortiOS flaw
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN

Posts

Blogs

Research Tools