SonicWall SMA Vulnerabilities Actively Exploited in Attacks
Users of SonicWall Secure Mobile Access (SMA) appliances have been warned about three vulnerabilities that are potentially being targeted by threat actors in attacks. The vulnerabilities are not zero-days, having been previously disclosed and patched by SonicWall in December 2023 and April 2025. Evidence has emerged that threat actors are actively targeting the flaws to attack unpatched SMA appliances.
The vulnerabilities are tracked as CVE-2021-20035, CVE-2023-44221, and CVE-2024-38475, and all three have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) Catalog. SonicWall issued a warning about exploitation of the CVE-2021-20035 vulnerability in mid-April, with a further announcement made about potential exploitation of the other two vulnerabilities at the end of last month.
CVE-2021-20035 is a high-severity flaw from 2021 that affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices running versions 9.0.0.10-28sv and earlier, 10.2.0.7-34sv and earlier, and 10.2.1.0-17sv and earlier. The vulnerability is thought to have been exploited in attacks since January 2025. The vulnerability has been fixed in versions 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, and 9.0.0.11-31sv and higher. According to SonicWall, the vulnerability is due to improper neutralization of special elements in the SMA100 management interface. Exploitation could allow a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to code execution.
CVE-2023-44221 is a high-severity vulnerability from 2023 in the SMA100 SSL-VPN management interface. The vulnerability affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices running versions 10.2.1.9-57sv and prior and has been fixed in version 10.2.1.10-62sv and higher. The vulnerability is due to improper neutralization of special elements used in an OS command. SonicWall says a post-authenticated remote attacker with administrative privilege could inject arbitrary commands, which could potentially lead to OS command execution on the appliance.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CVE-2024-38475 is a critical-severity path traversal vulnerability affecting SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices running 10.2.1.13-72sv and earlier versions. The vulnerability has been fixed in 10.2.1.14-75sv and higher versions. The vulnerability has been attributed to a publicly known Apache HTTP Server vulnerability. According to SonicWall, “Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.”
Another critical vulnerability, CVE-2025-23006, was announced in January which was being exploited by threat actors as a zero-day. The vulnerability affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices running version 12.4.3-020804 (platform-hotfix) and prior versions and has been fixed in version 12.4.3-02854 (platform-hotfix) and higher versions. The vulnerability is due to pre-authentication deserialization of untrusted data in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). Successful exploitation could allow a remote unauthenticated attacker to execute arbitrary OS commands.
Vulnerabilities in SonicWall devices are often targeted by threat actors, so patching should be prioritized. Admins should ensure they are running the latest version of the VPN and should update immediately to the latest version to prevent exploitation of the above vulnerabilities. In addition to updating to the latest version of the affected products, investigations should be conducted to determine if the vulnerabilities have already been exploited.
