The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection that could result in code execution.
"Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution," SonicWall said in an advisory released in September 2021.
The flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices running the following versions -
- 10.2.1.0-17sv and earlier (Fixed in 10.2.1.1-19sv and higher)
- 10.2.0.7-34sv and earlier (Fixed in 10.2.0.8-37sv and higher)
- 9.0.0.10-28sv and earlier (Fixed in 9.0.0.11-31sv and higher)
While the exact details surrounding the exploitation of CVE-2021-20035 are presently unknown, SonicWall has since revised the bulletin to acknowledge that "this vulnerability is potentially being exploited in the wild."
Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by May 7, 2025, to secure their networks against active threats.
Update
Arctic Wolf, in a report published this week, said it has been tracking a campaign targeting VPN credential access on SonicWall SMA devices since January 2025. It's suspected that the activity is related to the exploitation of CVE-2021-20035.
"One noteworthy aspect of the campaign was the use of a local super admin account (admin@LocalDomain) on these appliances, which has an insecure default password of 'password,'" security researcher Andres Ramos said. "It is important to note that even fully patched firewall devices may still become compromised if accounts use poor password hygiene."
"When accounts on firewalls are compromised independently, vulnerabilities such as CVE-2021-20035 can be used in tandem to establish persistence and widen the scope of attacks."
(The story was updated after publication to include insights from Arctic Wolf.)
