CISA Warns of SonicWall Command Injection Vulnerability Exploited in Wild
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical SonicWall vulnerability that is actively being exploited by threat actors.
On April 16, 2025, CISA added CVE-2021-20035, a command injection vulnerability affecting SonicWall SMA100 appliances, to its Known Exploited Vulnerabilities (KEV) Catalog after confirming evidence of active exploitation in the wild.
SonicWall Command Injection Vulnerability Exploited in Wild
CVE-2021-20035 affects SonicWall SMA100 Series appliances, which are widely deployed across organizations for secure remote access.
The vulnerability, which has been assigned a CVSS score of 7.2, stems from improper neutralization of special elements in the SMA100 management interface.
“This vulnerability is potentially being exploited in the wild,” SonicWall confirmed in a security advisory update published April 14, 2025.
The flaw enables OS command injection via the management interface, allowing remote authenticated attackers to inject arbitrary operating system commands as the ‘nobody’ user.
Successful exploitation could lead to full code execution on affected systems, potentially enabling attackers to gain broad control over the compromised device.
Security experts warn that since these devices frequently serve as network gateways, their compromise carries significant risks.
Attackers could leverage this vulnerability to steal sensitive data, deploy ransomware, or establish persistence for deeper lateral movement across the victim’s network.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsSonicWall SMA100 Series (SMA 200, 210, 400, 410, 500v) running:- 9.0.0.10-28sv and earlier- 10.2.0.7-34sv and earlier- 10.2.1.0-17sv and earlierImpactDenial of Service (DoS) and potential compromise of system integrity and availability.Exploit Prerequisites
Remote authenticated access to the management interface (valid credentials required)CVSS 3.1 Score7.2
Affected Systems and Remediation
The vulnerability impacts multiple versions of SonicWall SMA100 Series appliances, including SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v virtual appliances deployed across various platforms such as ESX, KVM, AWS, and Azure.
SonicWall has released patched versions addressing the vulnerability:
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by May 7, 2025.
The directive establishes the KEV Catalog as an authoritative source of vulnerabilities that carry significant risk to federal networks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned in its advisory.
The exploitation of SonicWall appliances follows a concerning pattern of attacks targeting network security infrastructure.
Earlier this year, CISA confirmed exploitation of other SonicWall vulnerabilities, including a critical remote code execution flaw (CVE-2025-23006) in SMA1000 appliances that received a severity score of 9.8.
Organizations using affected SonicWall appliances should:
CISA strongly urges all organizations to prioritize remediation of this vulnerability. The agency recommends implementing a robust vulnerability management framework that incorporates the KEV catalog as a prioritization input.
#Cyber_Security #Cyber_Security_News #Threats #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
CISA Warns of SonicWall Command Injection Vulnerability Exploited in Wild
Author: KaaviyaThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical SonicWall vulnerability that is actively being exploited by threat actors.
On April 16, 2025, CISA added CVE-2021-20035, a command injection vulnerability affecting SonicWall SMA100 appliances, to its Known Exploited Vulnerabilities (KEV) Catalog after confirming evidence of active exploitation in the wild.
SonicWall Command Injection Vulnerability Exploited in Wild
CVE-2021-20035 affects SonicWall SMA100 Series appliances, which are widely deployed across organizations for secure remote access.
The vulnerability, which has been assigned a CVSS score of 7.2, stems from improper neutralization of special elements in the SMA100 management interface.
“This vulnerability is potentially being exploited in the wild,” SonicWall confirmed in a security advisory update published April 14, 2025.
The flaw enables OS command injection via the management interface, allowing remote authenticated attackers to inject arbitrary operating system commands as the ‘nobody’ user.
Successful exploitation could lead to full code execution on affected systems, potentially enabling attackers to gain broad control over the compromised device.
Security experts warn that since these devices frequently serve as network gateways, their compromise carries significant risks.
Attackers could leverage this vulnerability to steal sensitive data, deploy ransomware, or establish persistence for deeper lateral movement across the victim’s network.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsSonicWall SMA100 Series (SMA 200, 210, 400, 410, 500v) running:- 9.0.0.10-28sv and earlier- 10.2.0.7-34sv and earlier- 10.2.1.0-17sv and earlierImpactDenial of Service (DoS) and potential compromise of system integrity and availability.Exploit Prerequisites
Remote authenticated access to the management interface (valid credentials required)CVSS 3.1 Score7.2
Affected Systems and Remediation
The vulnerability impacts multiple versions of SonicWall SMA100 Series appliances, including SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v virtual appliances deployed across various platforms such as ESX, KVM, AWS, and Azure.
SonicWall has released patched versions addressing the vulnerability:
- For version 10.2.1.0-17sv and earlier: Update to 10.2.1.1-19sv or higher.
- For version 10.2.0.7-34sv and earlier: Update to 10.2.0.8-37sv or higher.
- For version 9.0.0.10-28sv and earlier: Update to 9.0.0.11-31sv or higher.
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by May 7, 2025.
The directive establishes the KEV Catalog as an authoritative source of vulnerabilities that carry significant risk to federal networks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned in its advisory.
The exploitation of SonicWall appliances follows a concerning pattern of attacks targeting network security infrastructure.
Earlier this year, CISA confirmed exploitation of other SonicWall vulnerabilities, including a critical remote code execution flaw (CVE-2025-23006) in SMA1000 appliances that received a severity score of 9.8.
Organizations using affected SonicWall appliances should:
- Apply the appropriate patches immediately.
- Review systems for indicators of compromise.
- Implement network segmentation to limit potential lateral movement.
- Monitor for suspicious activity related to authentication attempts.
CISA strongly urges all organizations to prioritize remediation of this vulnerability. The agency recommends implementing a robust vulnerability management framework that incorporates the KEV catalog as a prioritization input.
#Cyber_Security #Cyber_Security_News #Threats #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
