On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to federal agencies about securing their SonicWall Secure Mobile Access (SMA) 100 series appliances. These devices are vulnerable to a critical remote code execution flaw that attackers could exploit.
The vulnerability, identified as CVE-2021-20035, affects the SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices (including versions for ESX, KVM, AWS, and Azure). If successfully exploited, this flaw can allow attackers with minimal privileges to execute arbitrary code in low-complexity attacks.
According to SonicWall, the issue arises from improper handling of special elements in the SMA100 management interface. This allows a remote attacker, who is authenticated as a ‘nobody’ user, to inject arbitrary commands, potentially leading to code execution.
SonicWall initially patched this vulnerability in September 2021. At that time, the company stated it could only be used to launch denial-of-service (DoS) attacks, which could bring down the affected appliances. However, earlier this week, SonicWall updated the advisory to indicate that the flaw is now being exploited for remote code execution. The severity rating was raised from medium to high, and the CVSS score was updated to 7.2.
CISA confirmed that the vulnerability is actively being exploited in real-world attacks. The agency added it to its Known Exploited Vulnerabilities catalog, which lists security flaws that are actively targeted by cybercriminals.
As per the Binding Operational Directive (BOD) 22-01, issued in November 2021, U.S. federal agencies must secure their networks within three weeks, by May 7th. Although the directive applies only to federal agencies, CISA urges all network defenders to prioritize patching this vulnerability to prevent potential breaches.
CISA emphasized that vulnerabilities like this one are common attack vectors for malicious actors and pose significant risks, especially for federal agencies.
In February, SonicWall also warned about an actively exploited flaw in its Gen 6 and Gen 7 firewalls, which could allow hackers to hijack VPN sessions. A month earlier, the company had urged customers to patch a critical vulnerability in its SMA1000 secure access gateways, which had been exploited in zero-day attacks.
