VPN
RCE
SonicWall SMA devices face active attacks via CVE-2021-20035 RCE flaw. Patch now...
Security researchers have revealed that SonicWall Secure Mobile Access (SMA) devices have been under active attack since January 2025 through a vulnerability originally patched nearly four years ago. This remote code execution vulnerability (CVE-2021-20035), initially underestimated as a mere denial-of-service issue, has now been confirmed to allow attackers to execute arbitrary code on vulnerable systems.
The exploitation campaign highlights how threat actors continue to leverage older vulnerabilities to compromise security infrastructure, particularly when organizations fail to apply available patches. With CISA adding this vulnerability to its Known Exploited Vulnerabilities catalog on April 16, 2025, federal agencies now face a May 7th deadline to remediate the issue.
## Vulnerability Details and Evolution
The vulnerability known as CVE-2021-20035 affects SonicWall SMA 100 series appliances, including SMA 200, 210, 400, 410, and 500v devices across physical, virtual, and cloud deployments. Originally discovered and patched in September 2021, this security flaw was initially described by SonicWall as only capable of causing denial-of-service attacks. However, in a significant development on April 15, 2025, SonicWall updated its four-year-old security advisory to indicate that the vulnerability is being actively exploited in the wild and presents a more severe risk than previously thought. The vulnerability’s CVSS score was consequently upgraded from a medium severity rating of 6.5 to a high severity score of 7.2, reflecting its enhanced threat potential.
The technical nature of the vulnerability involves "improper neutralization of special elements in the SMA100 management interface," which allows remote authenticated attackers to inject arbitrary operating system commands as a 'nobody’ user. While this originally seemed limited in impact, further analysis has revealed that successful exploitation can lead to remote code execution, significantly elevating the risk to affected organizations. This revelation is particularly concerning as the vulnerability requires relatively low privilege levels and can be exploited through low-complexity attacks, making it an attractive target for threat actors seeking initial access to corporate networks. The update from SonicWall indicates an evolving understanding of how the vulnerability can be weaponized, demonstrating that security flaws can sometimes have impacts beyond their initial assessment.
### Affected Versions and Patching Information
The vulnerability impacts several versions of SonicWall SMA 100 series firmware, with specific patches available for each affected version line. Organizations running firmware versions 10.2.1.0-17sv and earlier need to upgrade to at least 10.2.1.1-19sv or higher to remediate the vulnerability. Similarly, those using version 10.2.0.7-34sv and earlier should update to at least 10.2.0.8-37sv or higher, while systems running 9.0.0.10-28sv and earlier require an upgrade to at least 9.0.0.11-31sv or higher. SonicWall's current recommendation goes beyond these minimum fixes, suggesting that all affected customers should update to firmware version 10.2.1.14-75sv for optimal protection.
The persistence of vulnerable systems nearly four years after patches were made available highlights a common challenge in cybersecurity: the significant lag between patch availability and deployment across affected organizations. This gap creates extended windows of opportunity for threat actors to exploit known vulnerabilities, even when fixes exist. The situation is complicated by the critical nature of VPN appliances in organizational infrastructure, which often makes them difficult to take offline for maintenance without significant operational disruption, potentially delaying necessary security updates in favor of continued business operations.
## Exploitation Campaign Details
According to researchers, an active campaign exploiting CVE-2021-20035 has been targeting SonicWall SMA devices since at least January 2025, continuing through April 2025.
This credential access campaign specifically focuses on SMA 100 series appliances with exposed management interfaces, demonstrating the attackers' strategic targeting of vulnerable remote access infrastructure. One particularly concerning aspect of the campaign involves the exploitation of poor password hygiene, with threat actors leveraging a local super admin account (admin@LocalDomain) that was configured with the insecure default password "password". This combination of vulnerability exploitation and weak credential security provides attackers with an effective method to compromise these critical access points.
The timing of this campaign is significant, beginning several months before SonicWall's public acknowledgment of active exploitation. Our observation of this activity from January through April 2025 suggests that threat actors identified and weaponized the vulnerability long before it was officially flagged as being exploited in the wild. This delay between initial exploitation and public disclosure created an extended period during which attacks could proceed with reduced detection and response from security teams who may not have prioritized patching what was previously considered a lower-severity vulnerability. The campaign demonstrates how threat actors continually scan for and exploit vulnerabilities in security appliances, particularly those that provide remote access capabilities.
### Exploitation Tactics and Techniques
The exploitation of CVE-2021-20035 showcases a sophisticated approach combining credential access with vulnerability exploitation. Attackers first target the VPN appliances for credential access, either using default credentials or employing brute force, password stuffing, or dictionary-based attacks to compromise legitimate accounts[^1_1]. Once authenticated, they leverage the vulnerability to inject arbitrary commands as a "nobody" user, which can lead to code execution despite the limited privileges of this account[^1_6][^1_12]. This two-stage approach allows threat actors to establish persistence and potentially widen the scope of their attacks within the target network.
The campaign highlights how even vulnerabilities requiring authentication can be effectively weaponized when combined with common authentication bypass techniquesUsing the default admin account with its default password illustrates how basic security misconfigurations can undermine even patched systems, providing attackers with the initial access needed to exploit the vulnerability. Our researchers continues to track indicators of compromise associated with this campaign, alerting customers when related activity is observed in their environments[^1_1].
## Regulatory Response and Implications
On April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming that the vulnerability is being actively exploited in attacks.
This addition to the KEV catalog triggers requirements under CISA's Binding Operational Directive (BOD) 22-01, mandating that all Federal Civilian Executive Branch (FCEB) agencies must either patch their SonicWall appliances or discontinue use of the products if mitigations cannot be applied by May 7, 2025. This three-week remediation timeline underscores the urgency with which CISA views this threat to federal infrastructure.
The CISA listing for the SonicWall flaw notes that it's currently unknown whether the exploitation activity involves ransomware attacks, though the agency clearly considers the vulnerability a significant threat to federal networks. The explicit timeline for remediation puts pressure on federal agencies to prioritize patching these devices, even if it requires service disruption. While BOD 22-01 only directly applies to U.S. federal agencies, the directive also sets a benchmark for private sector organizations, signaling that this vulnerability requires immediate attention from all SonicWall users regardless of sector.
## Recommended Mitigations
To protect against exploitation of CVE-2021-20035, organizations should immediately apply the appropriate firmware updates provided by SonicWall. The vendor recommends updating to firmware version 10.2.1.14-75sv, including patches for this vulnerability and other security improvements. Organizations unable to patch their systems immediately should implement compensating controls to limit potential exposure while preparing for updates. Given the confirmed exploitation in the wild, these updates should be treated as urgent security measures rather than routine maintenance.
Beyond patching, several additional security measures have been recommended to reduce the risk of compromise. Organizations should limit VPN access to only the minimum necessary accounts, removing all superfluous access. Any unused or unnecessary accounts should be deactivated entirely to reduce the attack surface. Multi-factor authentication should be enabled for all accounts, providing an additional layer of security even if passwords are compromised. Finally, all local accounts on SonicWall SMA firewalls should have their passwords reset, with particular attention to removing any default credentials like the admin@LocalDomain account’s default "password".
### Additional Security Recommendations
Network defenders should also implement a comprehensive monitoring strategy for their VPN appliances, actively auditing access logs to identify signs of unauthorized or anomalous remote access attempts[^1_4]. Implementing network segmentation can help limit the potential impact of a successful breach, ensuring that compromised VPN access doesn’t immediately translate to full network access. Organizations should consider applying web application firewalls (WAF) and additional hardening measures to further reduce the attack surface of their SMA management interfaces.
The vulnerability underscores the importance of proper credential management and authentication practices for administrative accounts on security appliances. Even fully patched firewall devices may become compromised if accounts use poor password hygiene, as demonstrated by exploiting the default admin account in this campaign. Organizations should review their password policies, particularly for administrative accounts on network security devices, to ensure they meet current security standards and are regularly rotated. This comprehensive approach to security goes beyond merely patching vulnerabilities to address the broader security posture necessary to protect critical infrastructure devices.
## Broader Context and Related Vulnerabilities
The exploitation of [CVE-2021-20035](https://www.sonicwall.com/support/notices/product-notice-arbitrary-command-injection-vulnerability-in-sonicwall-sma-100-series-appliances/250415122607607) is part of a concerning trend of attacks targeting VPN and secure access appliances, which represent critical components of organizational security infrastructure. These edge devices have become popular targets for threat actors as both cybercriminals and nation-state attackers have shifted focus to VPNs and firewalls as entry points into protected networks. This trend is particularly significant as many organizations continue to support remote work arrangements, increasing their reliance on VPN infrastructure and potentially expanding their attack surface.
SonicWall products have experienced multiple serious security challenges in recent months. In January 2025, the company urged customers to patch a critical vulnerability [CVE-2025-23006](https://nvd.nist.gov/vuln/detail/CVE-2025-23006) affecting SMA1000 secure access gateways following reports of zero-day exploitation. This vulnerability had a CVSS score of 9.8 out of 10, indicating extremely high severity, and allowed unauthenticated remote attackers to execute arbitrary operating system commands under certain conditions. In February 2025, SonicWall warned of an actively exploited authentication bypass flaw (CVE-2024-53704) in Gen 6 and Gen 7 firewalls that could allow hackers to hijack VPN sessions. This pattern of vulnerabilities suggests ongoing security challenges across SonicWall's product portfolio.
Originally underestimated as a denial-of-service issue when patched in 2021, this vulnerability has now been confirmed to enable remote code execution by sophisticated threat actors.
The addition of this vulnerability to CISA's Known Exploited Vulnerabilities catalog underscores its significance and creates regulatory pressure for federal agencies to address the issue by May 7, 2025. For all organizations using SonicWall SMA devices, immediate patching to the latest firmware versions is essential, along with implementing additional security measures such as multi-factor authentication, account auditing, and password resets. This incident serves as a powerful reminder that security infrastructure itself can become a vector for attacks when not properly maintained and secured, highlighting the critical importance of comprehensive security practices for edge devices and remote access solutions.
