company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Intel

Indirector

loading..
loading..
loading..

Intel CPUs Vulnerable to High-Precision Indirector BTI Attack, Study Finds

Discover how the Indirector BTI attack targets Intel's Raptor and Alder Lake CPUs, exploiting IBP and BTB flaws to steal sensitive data. Mitigation strategies i...

02-Jul-2024
5 min read

No content available.

Related Articles

loading..

Cyberattack

Marks & Spencer suffers a cyberattack disrupting Click & Collect and contactless...

British retail giant Marks \& Spencer (M\&S) has confirmed it is managing a cyberattack that has disrupted several key customer services, including its Click and Collect system and contactless payment capabilities. The incident, disclosed on April 22, 2025, has forced the company to implement temporary operational changes while it works with external cybersecurity experts to investigate and resolve the situation. ## Cyber Incident and Its Immediate Impact M\&S revealed that it has been managing a cyber incident for several days, prompting the company to make what it described as "minor, temporary changes" to its store operations[^1][^2]. The cyber incident has primarily affected the retailer's Click and Collect system, causing delays for customers awaiting online orders[^1]. Customers have been advised to wait for confirmation emails before visiting stores for pickups[^9]. Beyond Click and Collect disruptions, the attack has also impacted: - Contactless payment systems in multiple stores[^2][^3][^10] - Gift card and voucher functionality, with some customers reporting inability to use these payment methods[^2][^10] - In-store refund processing capabilities[^2] Despite these disruptions, M\&S has emphasized that all physical stores remain open and that its website and mobile app continue to operate normally[^1][^5][^6]. The company has not disclosed specific details regarding the nature of the cyberattack or whether customer data has been compromised[^1][^3]. ### Timeline of Events The cyber incident appears to have begun during the Easter Bank Holiday weekend, with customer complaints appearing on social media platforms as early as Saturday, April 19, 2025[^3][^11]. The timing is particularly significant as Easter represents the second busiest trading period for retailers after Christmas[^10], potentially maximizing the impact on both M\&S operations and customer experience. M\&S officially confirmed the incident on Tuesday, April 22, 2025, through a statement to the London Stock Exchange and direct communications to customers[^5][^7]. As of April 23, 2025, the company was still working to resolve the issues[^1][^6]. ## M\&S Response and Crisis Management Upon discovering the cyber incident, M\&S implemented a multi-faceted response strategy focusing on containment, investigation, and customer communication. ### Technical and Operational Response M\&S has engaged external cybersecurity experts to assist with investigating and managing the incident[^1][^6][^9]. The company stated it is "taking actions to further protect our network and ensure we can continue to maintain customer service"[^7][^9]. These actions include reinforcing network security while working to restore affected services[^1]. As required by regulations, M\&S has reported the incident to: - The National Cyber Security Centre (NCSC)[^2][^5][^7] - Relevant data protection supervisory authorities, including the Information Commissioner's Office (ICO)[^2][^5][^7] ### Customer Communication M\&S Chief Executive Stuart Machin issued a statement apologizing for the inconvenience caused to customers[^2][^10]. The company has emphasized that "customer trust is incredibly important" and promised to provide updates if the situation changes[^5][^7]. William Dixon, a Senior Associate Fellow for Cyber and International Security at the Royal United Services Institute (RUSI), praised M\&S's customer communications about the incident as "textbook," highlighting the empathy, transparency, and reassurance provided in their messaging[^2]. ## Potential Nature and Motivations Behind the Attack While M\&S has not confirmed the specific type of cyberattack, cybersecurity experts have offered several insights based on the pattern of disruption. ### Ransomware Speculation The disruption to payments and online services suggests a possible ransomware attack[^3][^9]. If ransomware is indeed behind this attack, data may have been stolen to be used as leverage to convince the company to pay a ransom[^9]. As of April 23, 2025, no ransomware group or threat actor had claimed responsibility for the attack[^1][^9]. Cybersecurity analysts suggest that if ransomware is involved, attackers may attempt to pressure M\&S privately before making any public statements or demands[^1]. This aligns with typical ransomware tactics where stolen data is often used as leverage to extract payments from victims[^1]. ### Strategic Timing The timing of the attack during the Easter Bank Holiday weekend appears strategic. Ian McShane, a security expert at cybersecurity firm Arctic Wolf, noted that the challenges faced by M\&S demonstrate that "cyber attackers never take a day off"[^10]. He explained that "criminals are always seeking to create the most disruption with the least effort," and targeting a major retailer during a busy holiday shopping period maximizes impact[^10][^11]. ## Broader Context and Industry Implications The M\&S cyber incident is not occurring in isolation but rather as part of a concerning trend affecting major organizations in the UK and globally. ### Retail Sector Vulnerability The retail sector remains a prime target for cybercriminals for several reasons: - High public brand awareness that criminals can leverage for notoriety[^11] - Seasonal nature of the business, allowing attackers to time their strikes during critical sales periods to maximize pressure[^11] - Increasing adoption of omnichannel approaches and new technologies that expand the attack surface[^11][^3] According to reports, the consumer cyclicals and non-cyclicals sectors, which encompass retailers, were among the top five most targeted verticals by ransomware gangs in early 2024[^11]. ### Recent Precedents This incident adds to a growing list of similar cyberattacks affecting major UK organizations: - Transport for London was forced to shut down numerous online services following a cyberattack in September 2024[^3] - WH Smith was targeted in 2023, resulting in illegal access to company data, including personal details of current and former staff[^3] - Morrisons encountered significant issues with Christmas orders in late 2024[^10] A 2022 government report revealed that 39% of UK businesses reported cybersecurity breaches or attacks in a 12-month period, highlighting the widespread nature of the threat[^3][^8]. ## Expert Analysis and Recommendations Cybersecurity experts have provided several insights regarding the M\&S incident and its implications for organizational security practices. James Hadley, Founder and CIO at cybersecurity training firm Immersive, noted: "While M\&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities"[^2]. Jamie Moles, Senior Technical Manager at ExtraHop, emphasized the importance of early detection: "Incidents like this demonstrate how essential it is to have real-time visibility, threat detection and rapid response capabilities across all digital infrastructure. Network visibility can play a pivotal role, helping organizations detect anomalies early, isolate potential threats and maintain service continuity"[^2]. Daniel Card from Chartered for ITBCS remarked that the M\&S incident serves as a "reminder the gap often exists between our perception of cyber resilience and the reality"[^10]. He noted that even well-equipped organizations are not immune to attacks. ## Business Impact and Future Outlook The cyberattack comes at a critical time for M\&S, with its financial year having ended on March 29, 2025, and full-year results scheduled to be announced on May 21, 2025[^6][^15]. Stakeholders will be watching closely to see if the incident has any material impact on performance or customer confidence[^6]. The company's proactive engagement with authorities and cybersecurity experts signals a robust approach to crisis management, aiming to restore full confidence among its customers and investors[^6]. This incident will likely serve as an important test of M\&S's cyber resilience and crisis management capabilities.

loading..   24-Apr-2025
loading..   7 min read
loading..

Kimsuky

APT28

State-backed hackers from North Korea, Iran, and Russia exploit ClickFix social ...

ClickFix, a deceptive social engineering tactic originally used by cybercriminals, has now been adopted by multiple state-sponsored threat actors from North Korea, Iran, and Russia for espionage operations. This comprehensive analysis examines how this technique works, why it’s effective, and how various threat actors implement it in their campaigns. ## Evolution and Mechanics of ClickFix ClickFix is a sophisticated social engineering technique that leverages dialogue boxes containing fake error messages to trick users into copying, pasting, and running malicious PowerShell commands on their own devices. Initially observed in early 2024 in campaigns from initial access broker TA571 and the ClearFake threat cluster, ClickFix has since grown dramatically in popularity across the threat landscape. The technique operates through a cleverly designed psychological trap. When users visit a malicious website (often via phishing emails or malvertising), they're presented with a fabricated error message that claims a document cannot be opened or a download has failed. The dialogue box then provides what appears to be a helpful solution, typically instructions to copy and paste a command into PowerShell or the Windows Run dialog, that will supposedly fix the issue[1]. Once executed, these commands download and run malware that gives attackers access to the victim's system. What makes ClickFix particularly insidious is how it preys on people’s natural desire to be helpful and independent. By providing both a problem and an apparent solution, attackers make victims feel empowered to "fix" the issue themselves without involving IT support. This approach bypasses security protections by essentially tricking users into infecting their own systems[1]. ### Variants and Evolution ClickFix has evolved since its early implementations, with several variants now in circulation: 1. **Standard Error Fix Variant**: Claims a document or file cannot be opened due to an error that needs fixing. 2. **CAPTCHA Verification Variant**: Presents a fake "Verify You Are Human" CAPTCHA check, based on an open-source toolkit named reCAPTCHA Phish that appeared on GitHub in mid-September 2024[1]. 3. **Device Registration Variant**: Requires users to "register" their device by running commands to supposedly access secure content. 4. **Update Requirement Variant**: Claims a critical security update must be applied immediately. The effectiveness of these variants has led to their rapid adoption across both cybercriminal and state-sponsored threat actors, with Proofpoint observing ClickFix campaigns leading to the deployment of various malware payloads including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport[1]. ## State-Sponsored Threat Actors Embracing ClickFix Between late 2024 and early 2025, multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopted ClickFix in their espionage operations[8][13][14]. This marks a significant evolution in the technique's usage, transitioning from primarily cybercriminal applications to state-sponsored espionage. ### Kimsuky (North Korea) Between January and February 2025, the North Korean threat actor Kimsuky (also known as TA427) targeted think tanks focused on North Korea-related policy using ClickFix[8][13]. The attack began with spoofed emails in Korean, Japanese, or English purporting to be from Japanese diplomats to initiate contact and build trust with targets. After establishing rapport, the attackers sent PDF files linking to fake secure drives that prompted users to "register" their devices by copying and pasting PowerShell commands into their terminals[8][13]. Once executed, this PowerShell command fetched a second remotely hosted PowerShell script that displayed a decoy PDF document while secretly creating Visual Basic Scripts set to run every 19 minutes via scheduled tasks. These scripts ultimately downloaded and executed QuasarRAT, an open-source remote access trojan that Kimsuky has been using for at least four years[8]. The decoy document claimed to be from the Japanese Ministry of Foreign Affairs and contained questions about nuclear proliferation and policy in Northeast Asia, maintaining the illusion of legitimacy while the malware established persistence[8]. ### MuddyWater (Iran) In mid-November 2024, the Iranian threat group MuddyWater (TA450) targeted at least 39 organizations primarily in the Middle East using ClickFix[8][13][14]. Their campaign used an attacker-controlled email address (support@microsoftonlines[.]com) to send English-language phishing emails disguised as Microsoft security alerts with the subject line "Urgent Security Update Required – Immediate Action Needed"[8]. The attackers deployed ClickFix by instructing recipients to run PowerShell with administrator privileges and then copy-paste a command from the email body. This command installed Level, a remote management and monitoring (RMM) tool that the attackers could then abuse to conduct espionage and exfiltrate data[8]. While MuddyWater has historically used various RMM tools such as Atera, PDQ Connect, ScreenConnect, and SimpleHelp, this was the first observation of them using Level in Proofpoint data[8]. The campaign targeted various sectors including finance, government, health, education, and transportation across the Middle East (particularly UAE and Saudi Arabia) as well as in Canada, Germany, Switzerland, and the United States[8][13]. ### UNK_RemoteRogue (Russia) In December 2024, a suspected Russian threat actor tracked as UNK_RemoteRogue targeted two organizations associated with a major arms manufacturer[8][13][14]. The attackers sent malicious emails from compromised Zimbra servers that spoofed Microsoft Office and included links to fake documents[8]. When recipients clicked these links, they were directed to a page containing instructions in Russian along with a YouTube video tutorial demonstrating how to run PowerShell commands. Following these instructions executed JavaScript that launched PowerShell code linked to the Empire command and control (C2) framework[8][13]. This attack specifically targeted organizations in the defense industry with connections to the ongoing conflict in Ukraine[13]. UNK_RemoteRogue also shares infrastructure with phishing campaigns that targeted defense and aerospace entities to harvest webmail credentials via fake login pages[13]. ### APT28 (Russia/GRU) As early as October 2024, the Russian military intelligence group APT28 (TA422) also adopted ClickFix in their operations. Their approach involved phishing emails mimicking Google Sheets with a fake reCAPTCHA verification step[3][8]. After completing the fake verification, a pop-up guided users to run PowerShell commands that established an SSH tunnel and deployed Metasploit, providing the attackers with remote access to the victim’s systems[3][8]. This sophisticated approach enabled APT28 to maintain persistent access for intelligence gathering operations. ## Technical Analysis and Detection Opportunities The implementation of ClickFix by various threat actors follows a similar pattern but with group-specific customizations. In most cases, the attack chain involves: 1. **Initial Access**: Typically via phishing emails or compromised websites 2. **User Deception**: Presentation of a fake error or verification requirement 3. **Command Execution**: Tricking users into running PowerShell commands 4. **Payload Delivery**: Downloading and executing the actual malware During the payload delivery phase, PowerShell typically downloads the malware disguised as an image or benign file and then executes it on the victim's machine[2]. This activity can be detected through monitoring for suspicious PowerShell behavior, particularly instances where PowerShell drops executable files[2]. A sample KQL query for detecting this behavior would look for PowerShell processes dropping executable files: ``` DeviceFileEvents | where InitiatingProcessFileName == "powershell.exe" | where FileName matches regex "(?i)\\.(exe|dll|msi)$" | project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, FolderPath, SHA256 ``` This query filters for file creation events where PowerShell is the parent process and the file has an executable extension (.exe, .dll, or .msi)[2]. ## Why ClickFix Remains Effective ClickFix has become widely adopted because it effectively circumvents many traditional security controls. Rather than relying on malicious attachments or links that security tools might catch, it exploits human psychology and behavior through social engineering. The rise of ClickFix can be attributed to improving security awareness around traditional attack vectors. As users have become more cautious about macros, suspicious attachments, and obviously malicious links, attackers have had to adapt by developing more sophisticated social engineering techniques[1]. By focusing on "hacking people's brains, emotions, and behaviors," ClickFix attackers can bypass technical security controls through authorized user actions. Additionally, the technique is effective because: 1. It provides both a problem and a solution, empowering the user. It leverages trusted interfaces (like OS dialogue boxes and PowerShell) 3. It appears to come from authoritative sources (Microsoft, Google, etc.) 4. It creates urgency that bypasses critical thinking ## Defensive Recommendations To protect against ClickFix and similar social engineering techniques, organizations and individuals should implement several protective measures: 1. **User Education**: Specifically train users about the ClickFix technique and emphasize that legitimate software would never require copying and pasting commands from dialogue boxes. 2. **Technical Controls**: Implement PowerShell restrictions such as Constrained Language Mode and script block logging to detect suspicious PowerShell activity. 3. **Email Security**: Deploy robust email filtering solutions to identify and block phishing attempts before they reach users. 4. **Principle of Least Privilege**: Limit administrative privileges to reduce the impact of successful attacks. 5. **Behavior Monitoring**: Implement endpoint detection and response (EDR) solutions that can identify suspicious PowerShell execution patterns. The adoption of ClickFix by state-sponsored threat actors from North Korea, Iran, and Russia represents a significant evolution in social engineering tactics used for espionage purposes. Rather than developing entirely new techniques, these groups are incorporating effective methods from the cybercriminal ecosystem into their existing toolkits[8][13]. This trend illustrates the increasing convergence between cybercriminal and state-sponsored tactics and the continued emphasis on social engineering as a primary attack vector. As security awareness continues to improve around traditional attack methods, we can expect further innovations in social engineering techniques that exploit human psychology rather than technical vulnerabilities. The widespread adoption of ClickFix across multiple state-sponsored groups in a relatively short timeframe demonstrates its effectiveness and suggests it will likely become even more prevalent among threat actors in the near future[8][13]. Organizations must remain vigilant and adapt their security awareness training to address these evolving threats.

loading..   21-Apr-2025
loading..   9 min read
loading..

VPN

RCE

SonicWall SMA devices face active attacks via CVE-2021-20035 RCE flaw. Patch now...

Security researchers have revealed that SonicWall Secure Mobile Access (SMA) devices have been under active attack since January 2025 through a vulnerability originally patched nearly four years ago. This remote code execution vulnerability (CVE-2021-20035), initially underestimated as a mere denial-of-service issue, has now been confirmed to allow attackers to execute arbitrary code on vulnerable systems. The exploitation campaign highlights how threat actors continue to leverage older vulnerabilities to compromise security infrastructure, particularly when organizations fail to apply available patches. With CISA adding this vulnerability to its Known Exploited Vulnerabilities catalog on April 16, 2025, federal agencies now face a May 7th deadline to remediate the issue. ## Vulnerability Details and Evolution The vulnerability known as CVE-2021-20035 affects SonicWall SMA 100 series appliances, including SMA 200, 210, 400, 410, and 500v devices across physical, virtual, and cloud deployments. Originally discovered and patched in September 2021, this security flaw was initially described by SonicWall as only capable of causing denial-of-service attacks. However, in a significant development on April 15, 2025, SonicWall updated its four-year-old security advisory to indicate that the vulnerability is being actively exploited in the wild and presents a more severe risk than previously thought. The vulnerability’s CVSS score was consequently upgraded from a medium severity rating of 6.5 to a high severity score of 7.2, reflecting its enhanced threat potential. The technical nature of the vulnerability involves "improper neutralization of special elements in the SMA100 management interface," which allows remote authenticated attackers to inject arbitrary operating system commands as a 'nobody’ user. While this originally seemed limited in impact, further analysis has revealed that successful exploitation can lead to remote code execution, significantly elevating the risk to affected organizations. This revelation is particularly concerning as the vulnerability requires relatively low privilege levels and can be exploited through low-complexity attacks, making it an attractive target for threat actors seeking initial access to corporate networks. The update from SonicWall indicates an evolving understanding of how the vulnerability can be weaponized, demonstrating that security flaws can sometimes have impacts beyond their initial assessment. ### Affected Versions and Patching Information The vulnerability impacts several versions of SonicWall SMA 100 series firmware, with specific patches available for each affected version line. Organizations running firmware versions 10.2.1.0-17sv and earlier need to upgrade to at least 10.2.1.1-19sv or higher to remediate the vulnerability. Similarly, those using version 10.2.0.7-34sv and earlier should update to at least 10.2.0.8-37sv or higher, while systems running 9.0.0.10-28sv and earlier require an upgrade to at least 9.0.0.11-31sv or higher. SonicWall's current recommendation goes beyond these minimum fixes, suggesting that all affected customers should update to firmware version 10.2.1.14-75sv for optimal protection. The persistence of vulnerable systems nearly four years after patches were made available highlights a common challenge in cybersecurity: the significant lag between patch availability and deployment across affected organizations. This gap creates extended windows of opportunity for threat actors to exploit known vulnerabilities, even when fixes exist. The situation is complicated by the critical nature of VPN appliances in organizational infrastructure, which often makes them difficult to take offline for maintenance without significant operational disruption, potentially delaying necessary security updates in favor of continued business operations. ## Exploitation Campaign Details According to researchers, an active campaign exploiting CVE-2021-20035 has been targeting SonicWall SMA devices since at least January 2025, continuing through April 2025. This credential access campaign specifically focuses on SMA 100 series appliances with exposed management interfaces, demonstrating the attackers' strategic targeting of vulnerable remote access infrastructure. One particularly concerning aspect of the campaign involves the exploitation of poor password hygiene, with threat actors leveraging a local super admin account (admin@LocalDomain) that was configured with the insecure default password "password". This combination of vulnerability exploitation and weak credential security provides attackers with an effective method to compromise these critical access points. The timing of this campaign is significant, beginning several months before SonicWall's public acknowledgment of active exploitation. Our observation of this activity from January through April 2025 suggests that threat actors identified and weaponized the vulnerability long before it was officially flagged as being exploited in the wild. This delay between initial exploitation and public disclosure created an extended period during which attacks could proceed with reduced detection and response from security teams who may not have prioritized patching what was previously considered a lower-severity vulnerability. The campaign demonstrates how threat actors continually scan for and exploit vulnerabilities in security appliances, particularly those that provide remote access capabilities. ### Exploitation Tactics and Techniques The exploitation of CVE-2021-20035 showcases a sophisticated approach combining credential access with vulnerability exploitation. Attackers first target the VPN appliances for credential access, either using default credentials or employing brute force, password stuffing, or dictionary-based attacks to compromise legitimate accounts[^1_1]. Once authenticated, they leverage the vulnerability to inject arbitrary commands as a "nobody" user, which can lead to code execution despite the limited privileges of this account[^1_6][^1_12]. This two-stage approach allows threat actors to establish persistence and potentially widen the scope of their attacks within the target network. The campaign highlights how even vulnerabilities requiring authentication can be effectively weaponized when combined with common authentication bypass techniquesUsing the default admin account with its default password illustrates how basic security misconfigurations can undermine even patched systems, providing attackers with the initial access needed to exploit the vulnerability. Our researchers continues to track indicators of compromise associated with this campaign, alerting customers when related activity is observed in their environments[^1_1]. ## Regulatory Response and Implications On April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming that the vulnerability is being actively exploited in attacks. This addition to the KEV catalog triggers requirements under CISA's Binding Operational Directive (BOD) 22-01, mandating that all Federal Civilian Executive Branch (FCEB) agencies must either patch their SonicWall appliances or discontinue use of the products if mitigations cannot be applied by May 7, 2025. This three-week remediation timeline underscores the urgency with which CISA views this threat to federal infrastructure. The CISA listing for the SonicWall flaw notes that it's currently unknown whether the exploitation activity involves ransomware attacks, though the agency clearly considers the vulnerability a significant threat to federal networks. The explicit timeline for remediation puts pressure on federal agencies to prioritize patching these devices, even if it requires service disruption. While BOD 22-01 only directly applies to U.S. federal agencies, the directive also sets a benchmark for private sector organizations, signaling that this vulnerability requires immediate attention from all SonicWall users regardless of sector. ## Recommended Mitigations To protect against exploitation of CVE-2021-20035, organizations should immediately apply the appropriate firmware updates provided by SonicWall. The vendor recommends updating to firmware version 10.2.1.14-75sv, including patches for this vulnerability and other security improvements. Organizations unable to patch their systems immediately should implement compensating controls to limit potential exposure while preparing for updates. Given the confirmed exploitation in the wild, these updates should be treated as urgent security measures rather than routine maintenance. Beyond patching, several additional security measures have been recommended to reduce the risk of compromise. Organizations should limit VPN access to only the minimum necessary accounts, removing all superfluous access. Any unused or unnecessary accounts should be deactivated entirely to reduce the attack surface. Multi-factor authentication should be enabled for all accounts, providing an additional layer of security even if passwords are compromised. Finally, all local accounts on SonicWall SMA firewalls should have their passwords reset, with particular attention to removing any default credentials like the admin@LocalDomain account’s default "password". ### Additional Security Recommendations Network defenders should also implement a comprehensive monitoring strategy for their VPN appliances, actively auditing access logs to identify signs of unauthorized or anomalous remote access attempts[^1_4]. Implementing network segmentation can help limit the potential impact of a successful breach, ensuring that compromised VPN access doesn’t immediately translate to full network access. Organizations should consider applying web application firewalls (WAF) and additional hardening measures to further reduce the attack surface of their SMA management interfaces. The vulnerability underscores the importance of proper credential management and authentication practices for administrative accounts on security appliances. Even fully patched firewall devices may become compromised if accounts use poor password hygiene, as demonstrated by exploiting the default admin account in this campaign. Organizations should review their password policies, particularly for administrative accounts on network security devices, to ensure they meet current security standards and are regularly rotated. This comprehensive approach to security goes beyond merely patching vulnerabilities to address the broader security posture necessary to protect critical infrastructure devices. ## Broader Context and Related Vulnerabilities The exploitation of [CVE-2021-20035](https://www.sonicwall.com/support/notices/product-notice-arbitrary-command-injection-vulnerability-in-sonicwall-sma-100-series-appliances/250415122607607) is part of a concerning trend of attacks targeting VPN and secure access appliances, which represent critical components of organizational security infrastructure. These edge devices have become popular targets for threat actors as both cybercriminals and nation-state attackers have shifted focus to VPNs and firewalls as entry points into protected networks. This trend is particularly significant as many organizations continue to support remote work arrangements, increasing their reliance on VPN infrastructure and potentially expanding their attack surface. SonicWall products have experienced multiple serious security challenges in recent months. In January 2025, the company urged customers to patch a critical vulnerability [CVE-2025-23006](https://nvd.nist.gov/vuln/detail/CVE-2025-23006) affecting SMA1000 secure access gateways following reports of zero-day exploitation. This vulnerability had a CVSS score of 9.8 out of 10, indicating extremely high severity, and allowed unauthenticated remote attackers to execute arbitrary operating system commands under certain conditions. In February 2025, SonicWall warned of an actively exploited authentication bypass flaw (CVE-2024-53704) in Gen 6 and Gen 7 firewalls that could allow hackers to hijack VPN sessions. This pattern of vulnerabilities suggests ongoing security challenges across SonicWall's product portfolio. Originally underestimated as a denial-of-service issue when patched in 2021, this vulnerability has now been confirmed to enable remote code execution by sophisticated threat actors. The addition of this vulnerability to CISA's Known Exploited Vulnerabilities catalog underscores its significance and creates regulatory pressure for federal agencies to address the issue by May 7, 2025. For all organizations using SonicWall SMA devices, immediate patching to the latest firmware versions is essential, along with implementing additional security measures such as multi-factor authentication, account auditing, and password resets. This incident serves as a powerful reminder that security infrastructure itself can become a vector for attacks when not properly maintained and secured, highlighting the critical importance of comprehensive security practices for edge devices and remote access solutions.

loading..   19-Apr-2025
loading..   10 min read