SonicWall Fixes Critical SMA 100 Vulnerabilities

SonicWall has released a critical security patch to address three significant vulnerabilities in its SMA 100 device, which could be chained together to execute arbitrary code. The patches, available in version 10.2.1.15-81sv, fix CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, which have been identified as potential zero-day threats.

A Post-Authentication SSLVPN User Arbitrary File Delete Vulnerability

The first vulnerability, tracked as CVE-2025-32819, is a post-authentication SSLVPN user arbitrary file delete vulnerability. According to SonicWall's advisory, a remote authenticated attacker with SSLVPN user privileges can bypass path traversal checks and delete an arbitrary file, potentially resulting in a reboot to factory default settings.

This flaw has a CVSS score of 8.8, indicating a high level of severity. SonicWall's patch addresses this vulnerability by ensuring that file deletion is properly restricted, preventing unauthorized access to sensitive data.

A Post-Authentication SSLVPN User Path Traversal Issue

The second vulnerability, tracked as CVE-2025-32820, is a post-authentication SSLVPN user path traversal issue. An authenticated remote attacker can use path traversal via SSLVPN to make any directory on the SMA appliance writable.

This flaw has a CVSS score of 8.3, indicating a high level of severity. SonicWall's patch addresses this vulnerability by implementing proper access controls and ensuring that sensitive data is protected from unauthorized modification.

A Post-Authentication SSLVPN Admin Remote Command Injection Vulnerability

The third vulnerability, tracked as CVE-2025-32821, is a post-authentication SSLVPN admin remote command injection vulnerability. According to SonicWall's advisory, a remote authenticated attacker with SSLVPN admin privileges can inject shell command arguments to upload a file on the appliance.

This flaw has a CVSS score of 6.7, indicating a moderate level of severity. SonicWall's patch addresses this vulnerability by implementing proper input validation and sanitization, preventing malicious code from being executed.

Rapid7 Researchers Discover Vulnerabilities

Rapid7 researchers discovered these vulnerabilities in April 2025. In their report, they highlighted the potential for an attacker with SSLVPN access to chain the three flaws together to gain admin rights, write to system directories, and achieve root-level remote code execution.

Exploit Chain Demonstrated

Rapid7 researchers demonstrated a full exploit chain on SonicWall SMA using the three flaws. Starting from a low-privilege session cookie, they reset the admin password by deleting a database file, made /bin writable, and executed a reverse shell payload to achieve root-level remote code execution.

Potential Exploitation in the Wild

Rapid7 researchers believe that this vulnerability may have been exploited in attacks in the wild. Based on known private IOCs and Rapid7 incident response investigations, they suspect that this vulnerability was used in malicious activities.

It is essential for SonicWall customers to apply the latest security patch, version 10.2.1.15-81sv, as soon as possible to prevent potential exploitation of these critical vulnerabilities.

Stay Safe Online

To stay safe online, it is crucial to keep your software and systems up-to-date with the latest security patches. Regularly monitor your system's logs and implement robust security controls to detect and respond to potential threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more updates on cybersecurity news and trends.