CISA Warns of Actively Exploited Vulnerability in SonicWall SMA Devices

Date: April 17, 2025
Category: Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.

According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”

The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…

CISA Identifies Actively Exploited Vulnerability in SonicWall SMA Devices

On April 17, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took significant action by adding a critical security vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) list. This classification stems from clear indications of active exploitation in the wild, underscoring the urgency of the threat.

The vulnerability is categorized as high severity and is identified by the identifier CVE-2021-20035, which has a CVSS score of 7.2. It involves a serious flaw related to operating system command injection, potentially allowing attackers to execute arbitrary code. According to a September 2021 advisory from SonicWall, the vulnerability arises from the improper sanitization of special characters within the management interface of the SMA100. This flaw enables a remote authenticated attacker to inject commands that could be executed under the context of a ‘nobody’ user, posing substantial risk to system integrity.

Affected devices include various models within the SMA 100 Series, specifically the SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (operating in environments like ESX, KVM, AWS, and Azure). The vulnerable software versions include 10.2.1.0-17sv and earlier, as well as 10.2.0.7-34sv and earlier. SonicWall has noted that these issues have been addressed in versions 10.2.1.1-19sv and later, and 10.2.0.8-37sv and beyond.

The primary targets of this vulnerability are businesses utilizing SonicWall’s solutions to manage secure remote access. Given the sophistication of the threat, organizations that rely on these devices should prioritize remedial actions to shield their networks from potential intrusions.

In terms of the attack’s methodology, this incident resonates with various tactics and techniques outlined in the MITRE ATT&CK framework. The initial access is likely facilitated through privilege escalation, allowing attackers to leverage authenticated status and execute malicious commands. The evident exploitation of the command injection vulnerability aligns with tactics used in attacks aimed at maintaining persistence within compromised environments.

Organizations must remain vigilant and proactive in updating their systems to mitigate risks associated with such vulnerabilities. The ongoing evolution of cyber threats highlights the critical need for businesses to prioritize cybersecurity measures as part of their operational protocols. Keeping software up to date and adhering to best practices for network security can significantly reduce the likelihood of falling victim to similar exploits in the future.

Source link

Related Posts

Navigating New Cyber Threats: The Shift from Third-Party Vendors to U.S. Tariffs in Supply Chain Security

Apr 16, 2025
Artificial Intelligence / Software Security

Introduction
Cyber threats aimed at supply chains are becoming increasingly concerning for businesses across various sectors. As companies deepen their reliance on third-party vendors, cloud services, and global logistics, cybercriminals are seizing opportunities to exploit vulnerabilities in these interconnected systems. By first targeting a third-party vendor with unnoticed security flaws, attackers can establish a foothold, using these weaknesses to penetrate the networks of primary business partners. This allows them to move laterally through vital systems, ultimately accessing sensitive data, financial assets, intellectual property, or even operational controls. Recent high-profile incidents, such as the 2024 ransomware attack on Change Healthcare—one of the largest health payment processing firms—illustrate how attackers can disrupt supply chain operations and compromise millions of patients’ protected health information (PHI), stealing up to 6TB of data.