A distant code execution vulnerability affecting SonicWall Safe Cell Entry (SMA) home equipment has been beneath energetic exploitation since no less than January 2025, based on cybersecurity firm Arctic Wolf.
This safety flaw (CVE-2021-20035) impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v gadgets and was patched virtually 4 years in the past, in September 2021, when SonicWall stated it might solely be exploited to take down susceptible home equipment in denial-of-service (DoS) assaults.
Nonetheless, the corporate up to date the four-year-old safety advisory on Monday to flag the safety bug as exploited in assaults, increase the impression to incorporate distant code execution, and improve the CVSS severity rating from medium to excessive severity.
“This vulnerability is believed to be actively exploited within the wild. As a precautionary measure, SonicWall PSIRT has up to date the abstract and revised the CVSS rating to 7.2,” SonicWall stated.
Profitable exploitation can enable distant menace actors with low privileges to use an “improper neutralization of particular parts within the SMA100 administration interface” to inject arbitrary instructions as a ‘no one’ person and execute arbitrary code in low-complexity assaults.
CISA has additionally added the vulnerability to its Recognized Exploited Vulnerabilities catalog, confirming it is now being abused within the wild and ordering Federal Civilian Government Department (FCEB) businesses to safe their networks in opposition to ongoing assaults till Might seventh.
| Product | Platform | Impacted Model | Mounted model |
| SMA 100 Collection | • SMA 200 • SMA 210 • SMA 400 • SMA 410 • SMA 500v (ESX, KVM, AWS, Azure) | 10.2.1.0-17sv and earlier | 10.2.1.1-19sv and better |
| 10.2.0.7-34sv and earlier | 10.2.0.8-37sv and better | ||
| 9.0.0.10-28sv and earlier | 9.0.0.11-31sv and better |
Actively exploited since January
Days after SonicWall tagged the safety bug as exploited within the wild with out sharing when the assaults began, cybersecurity firm Arctic Wolf reported that menace actors used CVE-2021-20035 exploits in assaults as early as January 2025.
On this marketing campaign, the attackers have additionally used an area tremendous admin account with a “password” default password to focus on SMA 100 home equipment with the administration interface uncovered on-line.
“Arctic Wolf has recognized an ongoing VPN credential entry marketing campaign focusing on SMA 100 sequence home equipment, with a beginning timeframe as early as January 2025, extending into April 2025,” the cybersecurity agency stated.
“One noteworthy facet of the marketing campaign was using an area tremendous admin account (admin@LocalDomain) on these home equipment, which has an insecure default password of password.”
To dam CVE-2021-20035 assaults focusing on their SonicWall home equipment, Arctic Wolf suggested community defenders to restrict VPN entry to the minimal mandatory accounts, deactivate unneeded accounts, allow multi-factor authentication for all accounts, and reset passwords for all native accounts on SonicWall SMA firewalls.
In February, SonicWall additionally urged clients in January to patch a crucial vulnerability affecting SMA1000 safe entry gateways following experiences that it had already been exploited in zero-day assaults and, one month later, warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that may let hackers hijack VPN periods.