CISA tags SonicWall VPN flaw as actively exploited in attacks
On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability.
Tracked as CVE-2021-20035, this security flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. Successful exploitation can allow remote threat actors with low privileges to execute arbitrary code in low-complexity attacks.
"Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution," SonicWall explains in an advisory updated this week.
SonicWall patched this vulnerability almost four years ago, in September 2021, when the company said it could only be exploited to take down vulnerable appliances in denial-of-service (DoS) attacks.
However, it updated the CVE-2021-20035 security advisory on Monday to flag it as exploited in attacks and expand the impact to include code execution.
"This vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has updated the summary and revised the CVSS score to 7.2," SonicWall said.
| Product | Platform | Impacted Version | Fixed version |
| SMA 100 Series | • SMA 200 • SMA 210 • SMA 400 • SMA 410 • SMA 500v (ESX, KVM, AWS, Azure) | 10.2.1.0-17sv and earlier | 10.2.1.1-19sv and higher |
| 10.2.0.7-34sv and earlier | 10.2.0.8-37sv and higher | ||
| 9.0.0.10-28sv and earlier | 9.0.0.11-31sv and higher |
Yesterday, CISA confirmed the vulnerability is now being abused in the wild by adding it to the Known Exploited Vulnerabilities catalog, which lists security flaws flagged by the cybersecurity agency as actively exploited in attacks.
As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until May 7th, to secure their networks against ongoing attacks.
While BOD 22-01 only applies to U.S. federal agencies, all network defenders should prioritize patching this security vulnerability as soon as possible to block potential breach attempts.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
In February, SonicWall also warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that could let hackers hijack VPN sessions.
One month earlier, the company urged customers to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks.
CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices
New Windows Server emergency updates fix container launch issue
Free online web security scanner
