SonicWall Advises Administrators to Address VPN Vulnerability Targeted in Recent Security Incidents

Publish date: 08.05.2025

Blog

08.05.2025

SonicWall Urges Administrators to Patch Critical VPN Vulnerabilities

SonicWall has issued an urgent advisory for its customers to address three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of which has been reported as actively exploited in cyberattacks.

These vulnerabilities—CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821—were identified and reported by cybersecurity researcher Ryan Emmons from Rapid7. Attackers can exploit these flaws collectively to achieve remote code execution with root privileges on compromised devices.

The affected devices include the SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v models. SonicWall recommends updating to firmware version 10.2.1.15-81sv or higher to mitigate these vulnerabilities.

“SonicWall strongly advises users of the affected SMA 100 series products to upgrade to the patched firmware version to ensure security against these vulnerabilities,” the advisory stated.

The exploitation of CVE-2025-32819 allows threat actors to delete the primary SQLite database, reset the default Administrator password, and access the SMA’s web interface. By subsequently exploiting the path traversal vulnerability detailed in CVE-2025-32820, attackers can modify the /bin directory’s permissions to be writable and leverage CVE-2025-32821 for remote code execution at the root level.

“An attacker possessing access to an SMA SSLVPN user account can chain these vulnerabilities to modify a sensitive system directory, elevate their privileges to that of an SMA administrator, and execute code remotely,” Rapid7 explained.

Based on internal indicators of compromise (IOCs) and findings from incident response engagements, it is believed that these vulnerabilities have been exploited in live attacks.

In addition, SonicWall recommends that administrators inspect their SMA device logs for any signs of unauthorized access, as well as enable security features such as web application firewalls and multifactor authentication (MFA) on their SMA 100 series appliances as precautionary measures.

Recently, SonicWall publicized two additional vulnerabilities, CVE-2023-44221 and CVE-2024-38475, which are also under active exploitation and can allow attackers to inject commands and execute code remotely on SMA devices.

Moreover, in April, SonicWall identified another critical vulnerability, CVE-2021-20035, which was confirmed to be exploited in remote code execution attacks against SMA 100 VPN appliances. Subsequent investigations revealed that this flaw had been under active exploitation since at least January 2025.

In early January, SonicWall cautioned administrators about a critical flaw in the SMA 1000 secure access gateways that was being exploited during zero-day attacks. A month later, the company highlighted another actively exploited authentication bypass vulnerability that affected Gen 6 and Gen 7 firewalls, enabling potential hijacking of VPN sessions.