The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added security flaws affecting the SonicWall Secure Mobile Access (SMA) 100 Series Gateways based on evidence of active exploitation in its known exploited vulnerabilities (KEV) catalog.
The high-strength vulnerability tracked as CVE-2021-20035 (CVSS score: 7.2) is related to the case of operating system command injections that can lead to code execution.
“Improper neutralization of special elements in the SMA100 management interface allows remote authentication attackers to inject arbitrary commands as “no one” users.” This could lead to code execution.”
The defect affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500V (ESX, KVM, AWS, AZURE) devices.
- Before 10.2.1.0-17SV (fixed at 10.2.1.1-19SV or higher)
- Before 10.2.0.7-34SV (fixed at 10.2.0.8-37SV or higher)
- 9.0.0.10-28SV or earlier (fixed at 9.0.0.11-31SV or higher)
The exact details surrounding CVE-2021-20035’s exploitation are currently unknown, but Sonic Wall has since corrected the bulletin to admit that “the vulnerability could be exploited in the wild.”
Federal Civil Enforcement Division (FCEB) agencies must apply the necessary mitigations by May 7, 2025 to ensure their networks are secured against aggressive threats.
update
In a report released this week, Arctic Wolf said it has been tracking campaigns targeting VPN qualification access on Sonicwall SMA devices since January 2025. The activity is suspected to be related to the exploitation of CVE-2021-20035.
“One notable aspect of the campaign was the use of a local super-admin account (admin@localdomain) on these appliances, which has an unstable default password for “passwords,” said security researcher Andres Ramos. “It’s important to note that even fully patched firewall devices can be compromised if your account uses poor password hygiene.”
“When firewall accounts are independently compromised, vulnerabilities such as CVE-2021-20035 can be used in tandem to establish persistence and widen the scope of the attack.”
(The story was updated after publication and includes insights from the Arctic Wolf.)
