SonicWall customers confront resurgence of actively exploited vulnerabilities

SonicWall customers confront resurgence of actively exploited vulnerabilities

Vulnerabilities are proliferating in SonicWall devices and software this year, putting the vendor’s customers at risk of intrusion via secure access gateways and firewalls.

The year started off on a sour note for the California-based company when it released security advisories for nine vulnerabilities on Jan. 7. The total number of vulnerabilities publicly disclosed by the company so far in 2025 has grown to 20. 

SonicWall vulnerabilities are also making a consistent appearance on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog. Cyber authorities confirm that attackers exploited four vulnerabilities in SonicWall products so far this year, and 14 total since late 2021.

Eight of those vulnerabilities have been exploited in ransomware campaigns, according to CISA.

SonicWall customers enjoyed a relative lull, with no new vulnerabilities exploited in the wild between March 2022 and September 2024, but malicious activity targeting the vendor’s equipment and software resurged earlier this year.

The four actively exploited vulnerabilities added to CISA’s catalog this year include a trio in SonicWall Secure Mobile Access (SMA) 100 Appliances: a pair of operating system command injection vulnerabilities, CVE-2023-44221 and CVE-2021-20035, and a critical deserialization of untrusted data vulnerability, CVE-2025-23006. 

The other vulnerability recently exploited in the wild, CVE-2024-53704, is an improper authentication defect in the secure sockets layer virtual private network (SSL/VPN) mechanism in SonicWall SonicOS, the operating system that powers the company’s latest firewalls.

Three new SonicWall defects emerge

Earlier this week, the company disclosed and released patches for three new vulnerabilities —  CVE-2025-32819, CVE-2025-32820 and CVE-2025-32821 — affecting SonicWall SMA 100 appliances. 

Ryan Emmons, security researcher at Rapid7, discovered the new vulnerabilities last month and shared details with SonicWall on May 2. SonicWall’s security team acknowledged the disclosure in about 30 minutes and three days later shared a patch with Rapid7, which it validated as effective, Emmons said in a blog post. 

SonicWall released a software update and published a security advisory for the vulnerabilities on Wednesday, five days after Rapid7 initially shared its findings with the company. For some SonicWall SMA 100 customers, it might have been too late.

“Rapid7 believes that CVE-2025-32819 may have been exploited in the wild, based on internal investigations and known private indicators of compromise,” Emmons told CyberScoop via email. “We haven’t yet observed any signs that CVE-2025-32820 and CVE-2025-32821 are exploited in the wild. However, SMA 100 series appliances are popular, so it’s likely that will change in the future.”

Attackers can exploit the three software defects and chain them together to achieve “remote code execution as root on a SonicWall SMA 100 appliance, which is the highest level of privileges and control an attacker can establish on a device like that,” Emmons said.

An attacker doesn’t need exceptional skills to reach that malicious goal. Cybercriminals can exploit CVE-2025-32819 once they gain access to any low-privilege user account on a vulnerable SonicWall SMA100, according to Emmons.

“That allows the attacker to delete a key file and reboot the SMA with a default administrator username and password,” Emmons said. “From there, they can use login and use the other two exploits to establish full control of the device.”

Matt Neiderman, chief strategy officer at SonicWall, told CyberScoop the company is unaware of any active exploitation of the three recently disclosed vulnerabilities  — CVE-2025-32819, CVE-2025-32820 and CVE-2025-32821 — and SonicWall is working with Rapid7 to investigate further.

“While Rapid7 has published technical details and proof-of-concept exploits — currently we have no data to substantiate exploitation by malicious third parties — there is no indication from SonicWall that these specific vulnerabilities are being actively exploited in the wild,” Neiderman said.

“Given the availability of exploit code and the critical nature of these vulnerabilities, it’s strongly recommended to apply the latest patches provided by SonicWall to mitigate potential risks,” Neiderman added.

Security devices are under attack

SonicWall is among many network device vendors targeted by cybercriminals, and in every case it’s the customers who use vulnerable VPNs, firewalls and routers that are directly impacted. 

One-third of all attacks in 2024 were linked to exploits, and the four most commonly exploited vulnerabilities were all contained in edge devices, Mandiant said in its M-Trends report released last month. 

“Since these sorts of Linux-based appliances have restricted operating systems, they virtually never have endpoint protection and response or strong logging capabilities set up, so they make a great alcove for attackers to operate from within the network,” Emmons said.

Customers of larger network device vendors such as Palo Alto Networks, Cisco and Fortinet have been impacted by multiple exploited vulnerabilities in their products since 2024. A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS, CVE-2024-3400, was the most frequently exploited defect across all of Mandiant’s incident response engagements last year. 

A pair of defects affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances — CVE-2023-46805 and CVE-2024-21887 — were the next most frequently exploited vulnerabilities in 2024, according to Mandiant. 

Ivanti appears in CISA’s KEV catalog more than any other firewall, VPN or router vendor over the past 17 months. Attackers have exploited five vulnerabilities in Ivanti products so far this year, and 16 total since the beginning of 2024.

Neiderman, as executives at other security device vendors have noted, said most of the SonicWall vulnerabilities exploited by attackers this year affect older technology. “These vulnerabilities relate primarily to legacy VPN appliances or SSL/VPN, which have been targeted by threat actors across most vendors in the industry,” he said.

“The rise in actively exploited vulnerabilities across the cybersecurity landscape this year also reflects a broader industry challenge,” Neiderman said. “We believe the increase in activity is a combination of the SMA (VPN) appliances being targeted by threat actors because VPN appliances for many vendors have been in the news as being vulnerable.”

Will vulnerabilities push SonicWall to secure-by-design? 

Yet, there’s one piece missing from SonicWall’s commitment to bolster the security of its products. The company hasn’t signed CISA’s secure-by-design pledge, which the federal agency unveiled last year to publicly spur vendors to accept more responsibility for the security of their products.

More than 300 companies, including almost every major network device vendor — Palo Alto Networks, Cisco, Fortinet, Ivanti, Barracuda, Citrix and Check Point Software Technologies, among them — have signed the pledge.

The voluntary public commitment puts the onus on vendors to include well-established security features into their technology by default. This includes multifactor authentication, a reduction of default passwords and entire classes of vulnerabilities that can be prevented at scale, and efforts to increase the installation of security updates by customers.

“SonicWall has implemented all of the core principles defined in the secure-by-design pledge, and fully supports its objectives and formally kicked off the process,” Neiderman said. 

The company’s latest gateway security appliances include security features by default, according to Neiderman. SonicWall announced an end-of-life for legacy SMA 100 series VPN appliances last year, and it recently rolled out a managed protection security suite as a default firewall license and service to ensure proper configuration and best practices, he added.

“Unmanaged and unpatched appliances are a liability,” Neiderman said. “Managed firewalls reduce the risk of breaches from newly discovered vulnerabilities.”

Neiderman said SonicWall intends to formally sign the pledge, but he did not say when or explain why it hasn’t already.

Written by Matt Kapko

Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University.


Source link