Threat Actors Exploit SonicWall SMA Flaw Since January 2025: Critical Updates

TL;DR

Threat actors have been actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025. The vulnerability, tracked as CVE-2021-20035, allows attackers to inject arbitrary commands and potentially execute code. Organizations are urged to secure their systems and follow best practices to mitigate risks.

Critical Vulnerability in SonicWall SMA Appliances Actively Exploited

Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025. This vulnerability, identified as CVE-2021-20035, has a CVSS score of 7.1 and affects the management interface of SMA100 devices¹.

Vulnerability Overview

The vulnerability is an OS Command Injection flaw in the SMA100 management interface. A remote authenticated attacker can exploit this flaw to inject arbitrary commands as a ‘nobody’ user, potentially leading to arbitrary code execution. According to the SonicWall advisory, the issue arises from improper neutralization of special elements, allowing command injection².

Impacted Devices and Mitigation

The vulnerability impacts the following devices:

• SMA 200
• SMA 210
• SMA 400
• SMA 410
• SMA 500v

SonicWall addressed this vulnerability in September 2021. However, exploitation can lead to denial-of-service (DoS) attacks, taking down vulnerable appliances.

CISA Alert and Federal Directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are ordered to fix this vulnerability by May 7, 2025³.

Active Exploitation and Campaign Details

SonicWall updated its advisory, confirming potential wild exploitation of the vulnerability. Arctic Wolf researchers uncovered an active campaign from January to April 2025, targeting SonicWall SMA 100 series appliances to steal VPN credentials. Attackers exploited the default super admin account (admin@LocalDomain), which often uses the weak default password “password.” Even fully patched devices can be compromised if password hygiene is poor⁴.

According to Arctic Wolf’s report, the campaign highlights the importance of securing local accounts. The report also shared Indicators of Compromise (IoCs)⁵.

Recommendations for Mitigation

Arctic Wolf recommends the following measures to block CVE-2021-20035 attacks:

• Limit VPN access
• Disable unused accounts
• Enable multi-factor authentication
• Reset all local account passwords on SonicWall SMA firewalls

Conclusion

The ongoing exploitation of the SonicWall SMA vulnerability underscores the importance of timely patching and robust security practices. Organizations must remain vigilant and proactive in securing their systems to mitigate potential risks.

Additional Resources

For further insights, check:

• SonicWall Advisory
• CISA Alert
• Arctic Wolf Report

References

1. National Vulnerability Database (Date). “CVE-2021-20035”. Retrieved 2025-04-19. ↩︎

2. SonicWall (Date). “SonicWall Advisory”. Retrieved 2025-04-19. ↩︎

3. CISA (Date). “CISA Alert”. Retrieved 2025-04-19. ↩︎

4. Arctic Wolf (Date). “Arctic Wolf Report”. Retrieved 2025-04-19. ↩︎

5. Arctic Wolf (Date). “Arctic Wolf Report”. Retrieved 2025-04-19. ↩︎