Full Report
A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf. [...]
Analysis Summary
# Vulnerability: SonicWall SMA 100 Series VPN Active Exploitation Campaign (CVE-2021-20035)
## CVE Details
- CVE ID: CVE-2021-20035
- CVSS Score: *Score not explicitly provided in text, assumed High/Critical due to active exploitation and government directives.*
- CWE: *Not specified in the provided text.*
## Affected Systems
- Products: SonicWall SMA 100 Series VPN Devices
- Versions:
- SMA 200, 210, 400, 410, 500v (ESX, KVM, AWS, Azure) running firmware versions:
- 10.2.1.0-17sv and earlier
- 10.2.0.7-34sv and earlier
- 9.0.0.10-28sv and earlier
- Configurations: Devices must have the management interface exposed online for exploitation to be effective based on observed attacks.
## Vulnerability Description
The provided text focuses on a campaign targeting SonicWall SMA 100 series appliances using CVE-2021-20035. The exploitation campaign observed since January 2025 involves attackers utilizing this vulnerability, potentially combined with the use of a local super admin account (`admin@LocalDomain`) configured with the default, insecure password "password" to gain unauthorized access credentials and compromise the devices.
## Exploitation
- Status: Actively exploited in the wild (since January 2025). CISA has issued an advisory regarding this vulnerability.
- Complexity: Implied to be relatively low, given the success of the campaign and the use of default credentials in some observed attacks.
- Attack Vector: Network (Targeting internet-exposed management interfaces).
## Impact
The text indicates a "credential access campaign" targeting SMA 100 series appliances.
- Confidentiality: High (Likely leading to session hijacking or unauthorized access).
- Integrity: High (Potential for system modification via elevated access).
- Availability: Medium to High (If systems are compromised or taken offline during remediation).
## Remediation
### Patches
SonicWall provided fixes in the following versions:
- 10.2.1.1-19sv and higher
- 10.2.0.8-37sv and higher
- 9.0.0.11-31sv and higher
### Workarounds
Arctic Wolf advised the following mitigations for securing SMA 100 series appliances against ongoing attacks:
1. Limit VPN access to the minimum necessary accounts.
2. Deactivate unneeded accounts.
3. Enable multi-factor authentication (MFA) for all accounts.
4. Reset passwords for all *local* accounts on SonicWall SMA firewalls.
## Detection
- Indicators of Compromise (IOCs): Attackers utilizing the local super admin account (`admin@LocalDomain`) with the password "password".
- Detection Methods and Tools: Network defenders should monitor for unusual logins or activity associated with local administrative accounts on SMA 100 series devices.
## References
- Vendor Advisory/CISA Alert: CISA added this to the Known Exploited Vulnerabilities Catalog.
- Related SonicWall Advisories (Contextual):
- Notice regarding actively exploited SMA1000 RCE flaw (Patched prior).
- Notice regarding actively exploited authentication bypass flaw in Gen 6/Gen 7 firewalls (Different vulnerability, but related to ongoing threat landscape).
- Relevant Links:
- hxxps://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog