Article Details

SonicWall urges admins to patch VPN flaw exploited in attacks. SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks. Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher. "SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release version to address these vulnerabilities," SonicWall said in a Wednesday advisory. Successful exploitation of CVE-2025-32819 allows threat actors to delete the primary SQLite database, reset the password of the default SMA admin user, and log in as admin to the SMA web interface. Next, they can exploit the CVE-2025-32820 path traversal vulnerability to make the /bin folder writable and then gain remote code execution as root by exploiting CVE-2025-32821. "An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution," Rapid7 said. "Based on known (private) IOCs and Rapid7 incident response investigations, we believe this vulnerability may have been used in the wild." SonicWall advised admins to check their SMA devices' logs for any signs of unauthorized logins and enable the web application firewall and multifactor authentication (MFA) on their SMA100 appliances as a safety measure. Last week, SonicWall warned customers that two other vulnerabilities (CVE-2023-44221 and CVE-2024-38475) affecting SMA appliances are now actively exploited in attacks to inject commands and execute code remotely. The company flagged another high-severity flaw (CVE-2021-20035) as exploited in remote code execution attacks targeting SMA100 VPN appliances in April. One day later, cybersecurity company Arctic Wolf revealed the security bug had been under active exploitation since at least January 2025. In January, SonicWall also urged admins to patch a critical flaw in SMA1000 secure access gateways exploited in zero-day attacks, and one month later warned of an actively exploited authentication bypass flaw impacting Gen 6 and Gen 7 firewalls that lets hackers hijack VPN sessions. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.