148/68 Tuesday, April 22, 2025
Researchers from Arctic Wolf have issued a warning about an ongoing cyberattack campaign targeting SonicWall Secure Mobile Access (SMA) devices. The attacks, active since January 2025, exploit CVE-2021-20035, a known OS command injection vulnerability in the SMA100 management interface. This flaw allows an authenticated attacker to execute arbitrary system commands with the privileges of the “nobody” user and potentially escalate to Remote Code Execution (RCE).
The vulnerability affects SMA 200, 210, 400, 410, and 500v models. Although SonicWall released a patch in 2021, attackers have recently resumed exploiting unpatched systems. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE to its Known Exploited Vulnerabilities (KEV) Catalog and mandated that all federal agencies apply the patch by May 7, 2025.
SonicWall has updated its security advisory confirming active exploitation. Arctic Wolf observed repeated attack attempts from January through April 2025, primarily aimed at stealing VPN credentials from vulnerable SMA 100 devices.
Additionally, Arctic Wolf highlighted that attackers are taking advantage of default administrative accounts, such as admin@LocalDomain, which in many cases still use the default password password. This indicates that poor password hygiene remains a major risk—even for patched systems. Organizations are urged to take immediate actions, including changing default passwords, disabling unused accounts, enabling Multi-Factor Authentication (MFA), and restricting VPN access to minimize exposure and reduce the attack surface.
