Listen to this Post
Security researchers have identified an ongoing cyberattack campaign exploiting a critical vulnerability in SonicWall’s Secure Mobile Access (SMA) appliances. Tracked as CVE-2021-20035 with a CVSS score of 7.1, the flaw allows authenticated attackers to execute arbitrary commands, opening the door to remote code execution, denial-of-service attacks, and VPN credential theft.
SonicWall SMA Vulnerability: Active Exploitation Since January 2025
Arctic Wolf, a leading cybersecurity research group, has sounded the alarm over a dangerous wave of cyberattacks targeting SonicWall SMA 100 series appliances. These attacks have been actively exploiting CVE-2021-20035 — a command injection vulnerability in the SMA100 management interface — since January 2025.
The vulnerability affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v appliances. Though it was patched in September 2021, threat actors continue to exploit unpatched systems, as well as devices where poor password practices persist.
According to Arctic Wolf, the attackers use the flaw to inject malicious commands under the ‘nobody’ user context, potentially achieving full control of the device. The campaign is notable for its exploitation of default admin accounts that still use factory-set credentials like admin@LocalDomain with the password password.
Despite the availability of patches, weak password hygiene remains a critical factor contributing to successful intrusions. Arctic Wolf warns that even fully updated systems can be compromised if local account security is not reinforced.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded swiftly, adding CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog and mandating all federal agencies to remediate the issue by May 7, 2025.
SonicWall has confirmed ongoing exploitation in the wild and updated its advisory accordingly. Arctic Wolf is urging organizations using SMA devices to immediately:
- Reset all local admin and user account passwords.
– Disable any unused accounts.
- Enable multi-factor authentication (MFA) across all access points.
– Limit VPN access to known, authorized users.
Indicators of Compromise (IOCs) have been released to help organizations detect malicious activity related to this campaign.
What Undercode Say:
The exploitation of CVE-2021-20035 serves as a harsh reminder that cybersecurity is not just about patching systems — it’s about maintaining robust operational security practices long after the patch is applied.
1. Patching Isn’t Enough:
Despite the CVE being patched in 2021, attackers are leveraging outdated systems or poor password hygiene to compromise environments in 2025. It reflects a recurring industry-wide problem: patch fatigue and administrative negligence.
2. Default Credentials: The Silent Killer
The use of the default super admin (admin@LocalDomain) with the password password is indefensible in 2025. This negligence is comparable to leaving your front door unlocked in a hostile neighborhood. SonicWall appliances, often used in enterprise settings, demand tighter access controls.
3. Vulnerability Chaining and Long-Term Exploits
Threat actors are chaining CVE-2021-20035 with poor security configurations, highlighting a larger pattern of long-term vulnerability exploitation. This campaign, running from January to April 2025, shows adversaries are patient and methodical.
4. Supply Chain and Government Risk
CISA’s rapid response underlines the federal risk exposure. With SonicWall used across various sectors — from education to government — the implications stretch beyond corporate networks. A compromised VPN gateway can serve as a stepping stone into critical infrastructure.
5. IoCs Matter But Aren’t a Cure
While Arctic Wolf provides Indicators of Compromise, these are only helpful after the damage is done. Proactive monitoring, zero-trust policies, and real-time behavioral analysis are better long-term mitigations.
6. Why Firewalls Are an Increasingly Popular Target
VPN appliances and firewalls like SonicWall SMA 100 are highly targeted because they sit at the perimeter of networks. Once compromised, attackers gain a privileged beachhead into the internal network.
7. Multi-Factor Authentication as Baseline
Organizations still treating MFA as optional are at risk. Arctic Wolf emphasizes MFA not as a best practice, but as a requirement to secure these edge devices.
8. Security Debt Is Accumulating
The fact that a 2021 vulnerability is still being actively exploited in 2025 is a damning indictment of current security hygiene standards. Companies are accruing technical debt — and attackers are cashing it in.
9. Time-Based Campaigns Reflect Strategic Adversaries
The January–April timeline isn’t random. Threat actors often align attacks with seasonal workloads or holidays. Understanding the temporal patterns in campaigns can improve predictive threat modeling.
10. Endpoint Hardening Needs to Be Holistic
It’s not enough to secure VPN endpoints. Admin interfaces, internal tools, and firmware must all be hardened. Attackers will always seek the weakest link — and sometimes, it’s a user who never changed the password.
Fact Checker Results
- Vulnerability CVE-2021-20035 was officially patched by SonicWall in September 2021.
- CISA added this CVE to its KEV catalog in April 2025, confirming active exploitation.
- Arctic Wolf has verified real-world attacks leveraging weak default credentials on SMA appliances.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
