Full Report
SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks [...]
Analysis Summary
# Vulnerability: Unspecified SonicWall SMA Flaw Exploited in Attacks
## CVE Details
- CVE ID: Not explicitly stated for the primary vulnerability being urged to patch, but related/mentioned CVEs are: **CVE-2023-44221**, **CVE-2024-38475**, and **CVE-2021-20035**.
- CVSS Score: Information not provided for the primary unlisted CVE, but exploitation suggests high severity.
- CWE: Information not provided.
## Affected Systems
- Products: SonicWall SMA 100 Series appliances (Other CVEs mention SMA1000 gateways and Gen 6/Gen 7 Firewalls).
- Versions: Specific vulnerable versions for the primary vulnerability are not detailed in this excerpt, but patching is urgent.
- Configurations: N/A
## Vulnerability Description
The summary highlights an urgent need for SonicWall administrators to patch an unspecified vulnerability in their VPN appliances that is currently being exploited in the wild. The nature of the flaw is tied to remote exploitation and unauthorized access, which is consistent with the characteristics of the other mentioned vulnerabilities affecting these products (command injection, RCE, and authentication bypass).
## Exploitation
- Status: **Exploited in the wild** (Confirmed via Rapid7 incident response investigations and known IOCs).
- Complexity: Implied to be Low/Medium, given active exploitation and prior warnings regarding related flaws.
- Attack Vector: Likely Network/Remote, targeting the VPN access mechanism.
## Impact
Impact is suggested to be severe due to active exploitation, likely leading to unauthorized access, remote code execution, or session hijacking, consistent with related observed flaws.
- Confidentiality: [High, based on context of RCE/Access]
- Integrity: [High, based on context of Command Injection/RCE]
- Availability: [Potential impact from system compromise]
## Remediation
### Patches
- Specific patch information for the primary vulnerability is not detailed, but *admins are urged to patch*.
- Related CVEs have vendor advisories, implying specific patches exist for those related flaws:
- Fix for **CVE-2023-44221** (SNWLID-2023-0018)
- Fix for **CVE-2024-38475** (SNWLID-2024-0018)
- Fix for **CVE-2021-20035** (SNWLID-2021-0022)
### Workarounds
- Enable the **web application firewall (WAF)** on SMA devices.
- **Enable multifactor authentication (MFA)** on SMA100 appliances.
## Detection
- Key action required: Check SMA device logs for any signs of **unauthorized logins**.
- Specific IOCs are known but private (per Rapid7). Administrators should use existing security tooling to look for anomalies related to VPN login failures or unusual command execution following authentication.
## References
- Vendor advisory for related CVEs: https://psirt.global.sonicwall.com/
- Rapid7 analysis (Defanged): hxxps://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/
- Related CISA Advisory: hxxps://www.bleepingcomputer.com/news/security/cisa-tags-sonicwall-vpn-flaw-as-actively-exploited-in-attacks/