Sonicwall Sma 100 Series Affected By Multiple High-Severity Vulnerabilities

Rapid7 details multiple severe vulnerabilities found in SonicWall’s Secure Mobile Access (SMA) 100 series devices, which have now been patched. These vulnerabilities, if exploited, could have allowed remote code execution, authentication bypass, and arbitrary file upload.

Severity Level: High

VULNERABILITY OVERVIEW:

1. Vulnerability Details:
   o Vulnerabilities are tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821.
   o An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities
   o Affected services: HTTP (Port 80) and HTTPS (Port 443)
   o Having Common Vulnerability Scoring System for each CVE as 8.8, 8.3 and 6.7 each.
2. Discovery:
   o These vulnerabilities were discovered by Ryan Emmons, Staff Security Researcher at Rapid7 during a proactive security assessment and responsibly disclosed to SonicWall.
   o SMA 100 devices are widely deployed across sectors such as healthcare, government, finance, and technology.
   o A single exploit path can potentially grant persistent access to internal networks via VPN gateways.
3. Exploitation Details:
   o Attacker gains initial access using valid SSLVPN credentials (e.g., compromised user account).
   o Exploits CVE-2025-32819 to erase the primary database, Reset the default admin password and log in as the default admin to the web interface.
   o Uses CVE-2025-32820 to modify permissions and make /bin writable.
   o Leverages CVE-2025-32821 to drop an executable shell or script and achieve RCE as root, fully compromising the system.
   o An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution

AFFECTED PRODUCTS:

1. SMA 100 Series (SMA 200, 210, 400, 410, 500v): 10.2.1.14-75sv and earlier versions.

Recommendations:

1. Apply the firmware update (version 10.2.1.15-81sv or higher) immediately to patch the vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821)
2. Review device logs for any signs of unauthorized or suspicious login activity.
3. Implement Web Application Firewall (WAF) to help detect and block potential exploitation attempts.
4. Enforce Multi-Factor Authentication (MFA) for all users accessing the SMA100 appliances.
5. Restrict SSLVPN access to trusted users and networks where possible.
6. Monitor for unusual file system changes or executable uploads on SMA devices.

Source:

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0011
• https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/
• https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.