A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf. Days after SonicWall tagged the security bug as exploited in the wild without sharing when the attacks started, cybersecurity company Arctic Wolf reported that threat actors used CVE-2021-20035 exploits in attacks as early as January 2025. In February, SonicWall also urged customers in January to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks and, one month later, warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that can let hackers hijack VPN sessions. To block CVE-2021-20035 attacks targeting their SonicWall appliances, Arctic Wolf advised network defenders to limit VPN access to the minimum necessary accounts, deactivate unneeded accounts, enable multi-factor authentication for all accounts, and reset passwords for all local accounts on SonicWall SMA firewalls. However, the company updated the four-year-old security advisory on Monday to flag the security bug as exploited in attacks, expand the impact to include remote code execution, and upgrade the CVSS severity score from medium to high severity. This security flaw (CVE-2021-20035) impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and was patched almost four years ago, in September 2021, when SonicWall said it could only be exploited to take down vulnerable appliances in denial-of-service (DoS) attacks. CISA has also added the vulnerability to its Known Exploited Vulnerabilities catalog, confirming it's now being abused in the wild and ordering Federal Civilian Executive Branch (FCEB) agencies to secure their networks against ongoing attacks until May 7th. "Arctic Wolf has identified an ongoing VPN credential access campaign targeting SMA 100 series appliances, with a starting timeframe as early as January 2025, extending into April 2025," the cybersecurity firm said. Successful exploitation can allow remote threat actors with low privileges to exploit an "improper neutralization of special elements in the SMA100 management interface" to inject arbitrary commands as a 'nobody' user and execute arbitrary code in low-complexity attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 18 Apr 2025 15:05:21 +0000