Threat Actors Exploiting SonicWall SMA Appliances Since January 2025

A recent discovery by Arctic Wolf researchers has revealed that threat actors have been actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025. The vulnerability, tracked as CVE-2021-20035, carries a CVSS score of 7.1, making it a high-risk exploit.

The vulnerability is an OS Command Injection Vulnerability in the SMA100 management interface, which allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user. This could potentially lead to arbitrary code execution, giving attackers significant control over the affected appliance.

Impact and Mitigation

The vulnerability impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices. Fortunately, SonicWall addressed this vulnerability in September 2021 through a software patch. However, it appears that some organizations may still be vulnerable due to poor password hygiene.

CISA Adds Flaw to Known Exploited Vulnerabilities Catalog

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2021-20035 flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to fix this vulnerability by May 7, 2025.

Active Campaign Targeting SonicWall SMA Appliances

Arcic Wolf researchers have uncovered an active campaign, running from January to April 2025, targeting SonicWall SMA 100 series appliances to steal VPN credentials. Threat actors were spotted exploiting the default super admin account (admin@LocalDomain), which often still uses the weak default password “password.”

Even Fully Patched Devices Can Be Compromised

"It is important to note that even fully patched firewall devices may still become compromised if accounts use poor password hygiene," warns Arctic Wolf. The organization recommends limiting VPN access, disabling unused accounts, enabling multi-factor authentication, and resetting all local account passwords on SonicWall SMA firewalls to block CVE-2021-20035 attacks.

Organizations are urged to take immediate action to secure their SonicWall SMA appliances and prevent potential exploitation. Remember to follow best practices for password management and stay vigilant against such threats.

Stay Informed

To stay informed about the latest cybersecurity threats and updates, follow me on Twitter: @securityaffairs and Facebook and Mastodon.