SonicWall CVE-2021-20016 and SMS Gateway Scanning: A Rising Threat Landscape in 2025

Listen to this Post

Featured Image
Cybersecurity Alert: Surge in Web Scans Targeting SonicWall Vulnerability and SMS Gateways

In an increasingly volatile digital environment, attackers continue to leverage unpatched systems and misconfigured services to exploit sensitive infrastructure. Two prominent targets have recently seen a surge in reconnaissance and exploitation attempts: SonicWall’s Secure Mobile Access (SMA) platform, particularly exploiting CVE-2021-20016, and various SMS gateway services.

Although CVE-2021-20016 was publicly disclosed in 2021, new scanning activities have been reported in April 2025, raising concerns about renewed or persistent threat actor interest. At the same time, SMS gateways—especially those used for WordPress and Twilio integrations—have come under active scanning for vulnerabilities, credential leaks, and configuration weaknesses. These attacks are likely aimed at leveraging unauthorized SMS capabilities for spam or fraud. This report analyzes the timeline of these scans, their indicators, and potential security implications.

Recent Web Scanning Activity: What You Need to Know

  • Vulnerability Focus: CVE-2021-20016 is a critical unauthenticated SQL injection flaw in SonicWall SMA devices that allows attackers to extract session information and bypass authentication mechanisms.
  • Initial Exposure: First made public in early 2022, this vulnerability resurfaced in threat reports following increased scanning events in April 2025.

– Recent Scanning Timeline:

– First detected: April 22, 2023.

  • Surge in reports: April 23, 2025, between 18:00–19:00 UTC.
  • Ongoing activity: Daily scans reported to DShield since the spike.

– Malicious IP Addresses Identified:

– 45.227.255.93

– 141.98.80.125

– 141.98.80.146

– Paths Scanned:

– `/__api__/v1/config/domains`

– `/__api__/v1/logon`

– Security Advisory Sources:

– [Tenable Blog on CVE-2021-20016](https://es-la.tenable.com/blog/cve-2021-20016-zero-day-vulnerability-in-sonicwall-secure-mobile-access-sma-exploited)

– [SonicWall Security Advisory PDF](https://cow-prod-www-v3.azurewebsites.net/publications/security-advisories/2021-006/pdf)

Parallel Scanning Campaigns: SMS Gateways Under Siege

  • Context: Attackers seek cheap or free SMS delivery options using exposed SMS gateways.
  • Observed Targets: Hardware SMS gateways, WordPress plugins, and Twilio configurations.

– Scanned Plugin Paths:

– `/wp-content/plugins/sms-alert/css/admin.css`

– `/wp-content/plugins/mediaburst-email-to-sms/css/clockwork.css`

– `/wp-content/plugins/verification-sms-targetsms/css/targetvr-style.css`

– `/wp-content/plugins/wp-sms/assets/css/admin-bar.css`

– `/wp-content/plugins/textme-sms-integration/css/textme.css`

– Other Detected Files and Endpoints:

– Misplaced configs: `/twilio/.config/bin/aws/lib/.env`, `/twillio_creds.php`, `/sms_config.json`

– API endpoints: `/sms/api/`, `/api/v1/livechat/sms-incoming/twilio`, `/sms.py`

– Malicious artifacts: `Sms_Bomber.exe`, `SMS_bomber.exe`

  • Proxy Scans Noted: Sites like `https://sms-activate.org` indicate efforts to abuse proxies for anonymity and mass texting.

  • Risk: Exposure can lead to financial loss, number blacklisting by telecom providers, and brand damage.

What Undercode Say:

Cybersecurity incidents often stem from a dangerous blend of overlooked patches, poor configuration hygiene, and underestimated persistence from threat actors. The revival of interest in CVE-2021-20016, more than three years after its disclosure, underlines how long-tail vulnerabilities remain a goldmine for attackers—especially when defenders assume “nobody targets that anymore.” The sudden spike in scans beginning April 23, 2025, and ongoing daily probe activity suggests a coordinated, automated reconnaissance effort—likely mapping out unpatched SonicWall SMA devices globally.

From a defensive perspective, this stresses the need for regular vulnerability assessments, patch audits, and proactive threat intelligence monitoring. Organizations using SonicWall should immediately verify whether firmware updates addressing CVE-2021-20016 have been applied. If not, the window of exposure is wide open.

Simultaneously, the parallel wave of scans targeting SMS gateways and related WordPress plugins shows attackers are diversifying their tactics—no longer content with single-point vulnerabilities. They’re moving towards service abuse, credential scraping, and even exploiting remnants of previously installed malware tools like SMS bombers.

These scans don’t just target large enterprises; small businesses with self-hosted WordPress sites or poorly configured cloud SMS services are equally at risk. A single exposed .env file or misconfigured Twilio token could give threat actors free reign to send thousands of spam messages, rack up SMS charges, or execute social engineering campaigns using seemingly trusted sender IDs.

It’s also important to note the creative yet careless nature of some scans—for instance, unprocessed variables like %%target%% in URLs—suggesting the use of misconfigured automation tools or copy-pasted scanning scripts. Even so, their presence in live traffic logs is troubling, revealing that attackers cast wide nets hoping to catch even partially configured or abandoned systems.

These trends emphasize the shift from targeting “big bugs” to exploiting “small missteps.” In today’s landscape, attackers don’t need zero-days if your .env file is exposed to the public internet.

Organizations should act decisively:

  • Perform immediate reviews of SMS-related plugins and configurations.
  • Search for forgotten scripts or residual malicious tools like SMS_bomber.exe.
  • Lock down all accessible API endpoints and secure credential files using proper access controls and network segmentation.

Lastly, defenders should monitor outbound SMS patterns, investigate unusual traffic to gateway providers, and implement strict rate limiting or access controls for SMS functions to avoid unauthorized usage.

Fact Checker Results:

  • Confirmed: CVE-2021-20016 is a known SonicWall vulnerability from 2021, still actively targeted.
  • Verified: IPs and URLs mentioned have been observed in recent DShield and ISC logs.
  • Supported: SMS gateway and plugin scans align with known abuse patterns from previous attacker campaigns.

References:

Reported By: isc.sans.edu
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram