CISA reports active exploitation of SonicWall SMA 100 Series vulnerability
Take action: If you are running SonicWall SMA products and haven't patched them from 2021, you need to start patching NOW. Because hackers don't care if you didn't have time to patch your firewalls. They will hack you.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is reporting an actively exploited vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series.
The vulnerability is tracked CVE-2021-20035 (CVSS score: 7.2). It is an operating system command injection in the SMA100 management interface, potentially leading to code execution.
The vulnerability stems from improper neutralization of special elements in the management interface, which allows remote authenticated attackers to inject arbitrary commands as a 'nobody' user. Despite the limited user privileges, this flaw could ultimately enable code execution on affected systems.
The vulnerability impacts multiple SonicWall SMA products, including:
- SMA 200
- SMA 210
- SMA 400
- SMA 410
- SMA 500v (across multiple platforms: ESX, KVM, AWS, Azure)
The following versions of SonicWall SMA software are vulnerable:
- 10.2.1.0-17sv and earlier (Fixed in 10.2.1.1-19sv and higher)
- 10.2.0.7-34sv and earlier (Fixed in 10.2.0.8-37sv and higher)
- 9.0.0.10-28sv and earlier (Fixed in 9.0.0.11-31sv and higher)
While specific details about the exploitation techniques are not disclosed, SonicWall has updated its security bulletin to confirm that "this vulnerability is potentially being exploited in the wild." The vulnerability was initially remedied in September 2021, suggesting that attackers are targeting organizations that have failed to apply the available patches over the past several years.
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by May 7, 2025. Organizations are strongly advised to install the relevant patches immediately.
