SonicWall patches multiple vulnerabilities in SMA 100 series, some potentially exploited
Take action: No way around this patch. SonicWall devices are exposed to the internet by their very nature, and all it takes is one compromised VPN user credential for hackers to start exploiting your SMA. And because there's a PoC, there is a tutorial for hackers how to execute the attac. So don't delay this one should be patched quickly.
Learn More
Security researchers at Rapid7 have discovered and disclosed three significant vulnerabilities affecting SonicWall Secure Mobile Access (SMA) 100 series appliances. The flaws, when chained together, can allow attackers to achieve full root-level remote code execution on vulnerable devices.
Vulnerabilities summary:
- CVE-2025-32819 (CVSS score 8.8): An authenticated attacker with user privileges can delete any file on the SMA appliance as root to perform privilege escalation to the administrator account. Rapid7 believes it may have been exploited in the wild based on known private indicators of compromise (IOCs) and incident response investigations. This vulnerability appears to be a bypass for a previously patched arbitrary file delete vulnerability reported by NCC Group in 2021.
- CVE-2025-32820 (CVSS score 8.3): An authenticated attacker with user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable by all users, including the nobody user. The path traversal is present in the NxPostConnectionScriptFileResource endpoint. Additionally, any existing file on the system can be overwritten with junk contents as root, potentially causing a persistent denial of service condition.
- CVE-2025-32821 (CVSS score 6.7): An authenticated attacker with administrator privileges can inject shell command arguments to upload a fully controlled file anywhere that the nobody user can write to. This allows for the execution of malicious code or exfiltration of sensitive data. It exists in the importlogo CGI script, where portalName parameter values are not sanitized for path traversals or URL encoded, allowing attackers to write controlled files to locations they should not have access to.
The vulnerabilities impact:
- SonicWall SMA 200
- SonicWall SMA 210
- SonicWall SMA 400
- SonicWall SMA 410
- SonicWall SMA 500v
All devices running firmware version 10.2.1.14-75sv and earlier are vulnerable. SonicWall's SSL VPN SMA1000 series products are not affected by these vulnerabilities.
Rapid7 demonstrated a complete attack chain using these vulnerabilities that allows an attacker with only low-privilege SSLVPN user credentials to achieve root-level remote code execution:
- Exploit CVE-2025-32819 to delete the primary SQLite database (/etc/EasyAccess/var/conf/persist.db), causing the system to reboot and reset the administrator password to "password"
- Login as admin to the SMA web interface using the reset password
- Exploit CVE-2025-32820 to make the SMA appliance's /bin directory world-writable
- Exploit CVE-2025-32821 to write a malicious file to /bin/lsb_release (an executable not installed by default but one that is periodically executed by the system)
- Once the system automatically executes the malicious file, the attacker gains root-level remote code execution
SonicWall has released version 10.2.1.15-81sv to address these vulnerabilities. SonicWall SMA administrators should update to this version immediately.
