The Urgent Threat to SonicWall SMA Appliances
A critical remote code execution vulnerability in SonicWall Secure Mobile Access (SMA) appliances has been under active attack since January 2025. This revelation comes from the insights shared by leading cybersecurity firm Arctic Wolf.
Details of the Vulnerability
The flaw, identified as CVE-2021-20035, affects multiple models including SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. It was originally patched by SonicWall in September 2021. Initially believed only to trigger DoS attacks, the severity of this vulnerability was later escalated to include potential remote code execution with a CVSS score upgraded to a high-severity rating of 7.2.
Exploitation and Impact
Threat actors have leveraged this vulnerability to execute low-complexity attacks. They primarily exploit weaknesses in the SMA100 management interface, enabling them to inject arbitrary commands. Such breaches allow hackers, even with minimal privileges, to execute harmful code as a ‘nobody’ user.
Official Responses and Defensive Measures
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the seriousness of these breaches by including this vulnerability in its Known Exploited Vulnerabilities catalog. They have mandated Federal Civilian Executive Branch (FCEB) agencies to secure their networks against these exploits until at least May 7th.
Impacted and Secured Versions
| Product | Platform | Impacted Version | Fixed Version |
|---|---|---|---|
| SMA 100 Series | • SMA 200 • SMA 210 • SMA 400 • SMA 410 • SMA 500v (ESX, KVM, AWS, Azure) |
10.2.1.0-17sv and earlier | 10.2.1.1-19sv and above |
| 10.2.0.7-34sv and earlier | 10.2.0.8-37sv and above | ||
| 9.0.0.10-28sv and earlier | 9.0.0.11-31sv and above |
Best Practices for Network Defense
To prevent the exploitation of CVE-2021-20035, cybersecurity experts recommend the following strategies:
- Limit VPN access to essential accounts only.
- Deactivate any unnecessary accounts.
- Implement multi-factor authentication for all user accounts.
- Reset passwords for all local accounts on vulnerable SonicWall SMA firewalls.
Additional Security Alerts
Following the exploitation of this vulnerability, SonicWall has issued additional advisories urging users to patch other critical vulnerabilities which have been targeted in zero-day attacks, further emphasizing the advanced threat landscape facing their devices.
Related: Unlocking Security: Paradies Shops Settles for $6.9M After Major Ransomware Breach
Last Updated: April 18, 2025
