SonicWall Patches Three Flaws in SMA 100 Devices

---

SonicWall has released security patches addressing three critical vulnerabilities in its SMA 100 Secure Mobile Access (SMA) appliances, which could allow attackers to achieve remote code execution (RCE) with root privileges. These vulnerabilities have been actively exploited, prompting urgent remediation efforts.

1. Overview of the Vulnerabilities

CVE-2025-32819: Path Traversal & Arbitrary File Deletion

• Vulnerability Type: Path Traversal (CWE-22) & Arbitrary File Deletion (CWE-552)
• Impact: Privilege Escalation & System Reset
• CVSS Score: 8.8 (High)
• Description:
• Allows remote authenticated attackers with SSL-VPN user privileges to bypass path traversal checks and delete arbitrary files.
• Exploitation could result in rebooting the device to factory default settings, disrupting operations.

CVE-2025-32820: Path Traversal Leading to Writable Directories

• Vulnerability Type: Improper Limitation of Pathname to Restricted Directory (CWE-22)
• Impact: Privilege Escalation & System Compromise
• CVSS Score: 8.3 (High)
• Description:
• Attackers can inject path traversal sequences to make any directory on the SMA appliance writable.
• This flaw enables modification of critical system files, potentially leading to malware deployment.

CVE-2025-32821: Remote Command Injection

• Vulnerability Type: OS Command Injection (CWE-78)
• Impact: Remote Code Execution (RCE)
• CVSS Score: 6.7 (Medium)
• Description:
• Attackers with SSL-VPN admin privileges can inject shell command arguments, allowing them to upload and execute malicious files on the appliance.
• This vulnerability enables root-level remote code execution, making it a severe security risk.

2. Affected Devices

These vulnerabilities impact the SMA 100 Series, including:

• SMA 200, 210, 400, 410, 500v
• Affected Firmware Versions: 10.2.1.14-75sv and earlier

Devices Not Affected

• SonicWall SSL VPN SMA1000 series is not impacted by these vulnerabilities.

3. Exploitation Details

Active Exploitation

• Security researchers have observed threat actors chaining these vulnerabilities to achieve root-level access on compromised devices.
• Indicators of Compromise (IoCs) suggest that CVE-2025-32819 may have been exploited as a zero-day vulnerability before the patch was released.
• Rapid7’s security report confirms that attackers can use these flaws to escalate privileges, modify system directories, and execute arbitrary code.

Potential Attack Scenarios

• Privilege Escalation – Attackers can gain administrator access and modify system settings.
• Malware Deployment – Exploited devices can be used to host malicious payloads or launch further attacks.
• System Disruption – Arbitrary file deletion could reset devices to factory settings, causing downtime.

4. Mitigation Strategies

A. Apply Security Updates

• Upgrade to SMA 100 firmware version 10.2.1.15-81sv or later.
• Ensure all affected devices are patched immediately.

B. Enable Multi-Factor Authentication (MFA)

• MFA prevents attackers from exploiting compromised credentials.
• Enable MFA on the appliance directly or via directory services.

C. Restrict Access to SSL-VPN Interfaces

• Limit access to trusted IP addresses using firewall rules.
• Disable remote management unless necessary.

D. Monitor for Exploitation

• Deploy Intrusion Detection Systems (IDS) to flag unauthorized file modifications.
• Audit logs for unexpected privilege escalations or command execution attempts.

5. Compliance Requirements

Federal Agencies

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must apply patches by May 28, 2025.

6. Conclusion

The inclusion of CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821 in security advisories highlights the critical nature of these vulnerabilities. Organizations using SonicWall SMA 100 devices must prioritize patching, restrict access, and monitor for exploitation to mitigate risks.