Post

SonicWall Patches Critical SMA 100 Vulnerabilities Enabling Arbitrary Code Execution

Posted
By Tom Grant
2 min read
SonicWall Patches Critical SMA 100 Vulnerabilities Enabling Arbitrary Code Execution

TL;DR

SonicWall has addressed three critical vulnerabilities in its SMA 100 series, including a potential zero-day, which could be exploited in a chain to execute arbitrary code. Researchers demonstrated a full exploit chain, highlighting the severity of these flaws.

Main Content

SonicWall recently patched three significant vulnerabilities in its SMA 100 series (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821). These flaws, including a potential zero-day, could be chained by remote attackers to execute arbitrary code.

Vulnerability Details

  1. CVE-2025-32819 (CVSS Score: 8.8):
    • Type: Post-Authentication SSLVPN User Arbitrary File Delete.
    • Impact: Allows an authenticated attacker to delete arbitrary files, potentially leading to a factory reset.
    • Advisory: SonicWall Advisory
  2. CVE-2025-32820 (CVSS Score: 8.3):
    • Type: Post-Authentication SSLVPN User Path Traversal.
    • Impact: Enables an authenticated attacker to make any directory on the SMA appliance writable.
  3. CVE-2025-32821 (CVSS Score: 6.7):
    • Type: Post-Authentication SSLVPN Admin Remote Command Injection.
    • Impact: Allows an authenticated attacker with admin privileges to inject shell commands and upload files.

Exploit Chain

Researchers at Rapid7 discovered these vulnerabilities in April 2025. They demonstrated that an attacker with SSLVPN access could chain these flaws to:

  • Gain admin rights.
  • Write to system directories.
  • Achieve root-level remote code execution.

The issues were fixed in version 10.2.1.15-81sv.

Potential Exploitation

Rapid7’s report suggests that these vulnerabilities may have been exploited in real-world attacks. Their investigation revealed that known indicators of compromise (IOCs) and incident response data point to potential exploitation in the wild1.

Demonstration of Exploit

Researchers successfully demonstrated a full exploit chain on SonicWall SMA using these three flaws. Starting from a low-privilege session cookie, they:

  • Reset the admin password by deleting a database file.
  • Made the /bin directory writable.
  • Executed a reverse shell payload to achieve root-level remote code execution.

Follow for Updates

Follow @securityaffairs on Twitter, Facebook, and Mastodon for the latest updates.

For more details, visit the full article: Source

Conclusion

The identification and patching of these vulnerabilities underscore the importance of regular security updates and vigilant monitoring. Organizations using SonicWall SMA 100 series devices should apply the latest patches to mitigate these risks.

Additional Resources

For further insights, check:

References

  1. Rapid7 (2025). “Multiple Vulnerabilities in SonicWall SMA 100 Series”. Rapid7 Blog. Retrieved 2025-05-09. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity zero-day remote code execution
This post is licensed under CC BY 4.0 by the author.