Pierluigi Paganini April 19, 2025

Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.

Arctic Wolf researchers warn that threat actors actively exploit a vulnerability, tracked as CVE-2021-20035 (CVSS score of 7.1), in SonicWall Secure Mobile Access (SMA) since at least January 2025.

The vulnerability is an OS Command Injection Vulnerability in the SMA100 management interface. A remote authenticated attacker can exploit the flaw to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to arbitrary code execution.

“Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to code execution.” reads the advisory.

The vulnerability impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, the vendor addressed the vulnerability in September 2021. An attacker can exploit the vulnerability to take down vulnerable appliances in denial-of-service (DoS) attacks.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2021-20035, to its Known Exploited Vulnerabilities (KEV) catalog.

CISA orders federal agencies to fix this vulnerability by May 7, 2025.

This week, SonicWall updated its advisory, confirming that this vulnerability is potentially being exploited in the wild.

Arctic Wolf has uncovered an active campaign, running from January to April 2025, targeting SonicWall SMA 100 series appliances to steal VPN credentials. Threat actors were spotted exploiting the default super admin account (admin@LocalDomain), which often still uses the weak default password “password.” Even fully patched devices can be compromised if password hygiene is poor. Arctic Wolf is monitoring the situation and urges organizations to secure all local accounts.

“One noteworthy aspect of the campaign was the use of a local super admin account (admin@LocalDomain) on these appliances, which has an insecure default password of password.” reads the report published by Arctic Wolf, which also shared Indicators of Compromise.

“It is important to note that even fully patched firewall devices may still become compromised if accounts use poor password hygiene.”

Arctic Wolf recommends limiting VPN access, disabling unused accounts, enabling multi-factor authentication, and resetting all local account passwords on SonicWall SMA firewalls to block CVE-2021-20035 attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs –hacking, Remote Code Execution)