Full Report
The network security device vendor is making a regular appearance on CISA’s known exploited vulnerabilities catalog. Unlike its competitors, SonicWall hasn’t signed the secure-by-design pledge. The post SonicWall customers confront resurgence of actively exploited vulnerabilities appeared first on CyberScoop.
Analysis Summary
As a vulnerability research specialist, here is the actionable summary of the disclosed security flaws based on the provided context.
# Vulnerability: Chained Remote Code Execution in SonicWall SMA 100 Appliances
## CVE Details
- CVE ID: CVE-2025-32819, CVE-2025-32820, CVE-2025-32821 (Three distinct vulnerabilities affecting SMA 100 appliances)
- CVSS Score: Not explicitly provided for these three, but the outcome of chaining them is RCE as root, implying critical severity.
- CWE: Not explicitly detailed in the text.
## Affected Systems
- Products: SonicWall SMA 100 Appliances
- Versions: Unspecified, but applies to **SMA 100 series** appliances generally before the patch update. Customers are urged to upgrade, as the SMA 100 series has been marked for End-of-Life (EOL).
- Configurations: Affects SMA 100 appliances accessible to an attacker with any low-privilege user account.
## Vulnerability Description
This summary focuses on the three new vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) affecting SonicWall SMA 100 appliances. These flaws can be chained together to achieve **Remote Code Execution (RCE) as root** on the device, granting the highest level of control.
The likely exploitation chain, as described by the researcher, proceeds as follows:
1. **CVE-2025-32819:** Allows an attacker with low-privilege access to delete a critical file and force a reboot.
2. **Reboot/Login:** The reboot causes the appliance to restart with a default administrator username and password.
3. **CVE-2025-32820 & CVE-2025-32821:** Used post-reboot with elevated privileges to establish full control over the device.
## Exploitation
- Status: **POC available.** Rapid7 believes CVE-2025-32819 **may have been exploited in the wild** based on internal evidence. SonicWall states they have no data validating hostile exploitation yet.
- Complexity: **Low** (Attack requires prerequisite low-privilege user access, but the subsequent steps—chaining the RCE—are highly consequential).
- Attack Vector: Likely **Network** (given the SMA appliance context) leading to System Compromise.
## Impact
- Confidentiality: **High** (RCE as root allows full data access)
- Integrity: **High** (Full root control allows unauthorized system modification)
- Availability: **High** (Full root control allows device shutdown or disruption)
## Remediation
### Patches
- SonicWall released a software update/security advisory with patches for **CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821**. Customers must apply the latest patches provided by SonicWall.
### Workarounds
- The text strongly recommends applying the latest patches immediately due to the critical nature and availability of exploit code.
- **General Mitigation:** SonicWall is pushing customers toward next-generation appliances, as the SMA 100 series has reached End-of-Life (EOL). Utilizing managed firewalls is recommended as it reduces risk from unpatched/unmanaged appliances.
## Detection
- **Indicators of Compromise (IoCs):** Rapid7 noted internal investigations suggesting potential prior exploitation of CVE-2025-32819, implying specific system calls or actions related to file deletion and subsequent privilege escalation are potential IoCs.
- **Detection Methods and Tools:** Not specifically detailed, but monitoring system file integrity monitoring (FIM) on critical OS files within the SMA appliance filesystem and unusual process execution following low-privilege user logins should be prioritized.
## References
- Vendor Advisories: SonicWall Security Advisory corresponding to the May 2025 disclosure (details not linked).
- Relevant Links:
- Rapid7 Blog Post (Details on CVE-2025-32819, CVE-2025-32820, CVE-2025-32821): `hxxps://www[.]rapid7[.]com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/`
- CISA KEV Catalog: `hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog`
- SonicWall PSIRT Vuln List: `hxxps://psirt[.]global[.]sonicwall[.]com/vuln-list`
- NVD Lookups: `hxxps://nvd[.]nist[.]gov/vuln/detail/cve-2025-32819` (and related CVEs)
---
**NOTE:** Several other critical, exploited vulnerabilities are mentioned in the general context (e.g., CVE-2023-44221, CVE-2021-20035, CVE-2025-23006, CVE-2024-53704) targeting SMA 100 and SonicOS SSL/VPN. Customers should audit for all mentioned CVEs, as the environment seems under active threat.