Older SonicWall SMA100 vulnerability exploited in the wild

Dive Brief:

• SonicWall on Tuesday disclosed that an OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, tracked as CVE-2021-20035, has been exploited in the wild. The vulnerability was first disclosed and patched in September 2021.
• The vulnerability was initially assigned a medium-severity CVSS score of 6.5. However, SonicWall raised the score to 7.2, making CVE-2021-20035 a high-severity flaw.
• CISA added CVE-2021-20035 to its known exploited vulnerabilities (KEV) catalog on Wednesday. The agency’s listing for the SonicWall flaw said it’s unknown whether the exploitation activity involves ransomware attacks.  

Dive Insight:

SonicWall said CVE-2021-20035 stems from improper neutralization of special elements in the SMA100 management interface. If exploited, a threat actor could remotely inject arbitrary commands as a “nobody” user, which could lead to code execution.

The vulnerability was discovered and reported by Wenxu Yin, a security researcher with Qihoo 360 Technology Co. in Beijing, China.

With the addition to CISA’s KEV catalog, federal civilian executive branch agencies have until May 7 to either patch their SonicWall appliances or discontinue use of the product if mitigations cannot be applied.

Cybersecurity Dive contacted SonicWall for comment on the exploitation activity but the company had not responded at press time.

SonicWall vulnerabilities have been popular targets for a variety of threat actors in recent years as both cybercriminals and nation-state attackers have shifted focus to edge devices such as VPNs and firewalls. For example, in February CISA added CVE-2024-53704, an improper authentication vulnerability in the SSL VPN mechanism of the vendor’s firewalls, to the KEV catalog. Censys later reported that more than 450 vulnerable firewalls were exposed to the public internet.