CISA Warns of Actively Exploited Vulnerability in SonicWall SMA Devices

Category: Vulnerabilities | Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series devices to its Known Exploited Vulnerabilities (KEV)catalog, following confirmed reports of real-world exploitation.

This high-severity flaw, tracked as CVE-2021-20035 with a CVSS score of 7.2, is an OS command injection vulnerability that allows remote, authenticated attackers to execute arbitrary commands as the “nobody” user through the device’s management interface.

According to SonicWall’s original advisory, this issue stems from improper handling of special elements in the SMA100 management interface, opening the door for attackers to potentially run unauthorized code.

Affected Devices and Versions:

• SMA 200, 210, 400, 410, and 500v (ESX, KVM, AWS, Azure)

• Impacted versions include:

  • 10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv)

  • 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv)

  • 9.0.0.10-28sv and earlier (patched in 9.0.0.11-31sv)

Though technical details on how the vulnerability is being actively exploited remain undisclosed, SonicWall has acknowledged the potential for in-the-wild exploitation in an updated security bulletin.

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies implement all required mitigations by May 7, 2025, to reduce risk and safeguard against this actively exploited threat.

Stay tuned to Cybersecurity88 for further updates and mitigation strategies as more details emerge.