On April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog following confirmed reports of active exploitation in the wild.
This vulnerability affects SonicWall Secure Mobile Access (SMA) 100 series appliances including SMA 200, 210, 400, 410, and 500v across physical, virtual, and cloud environments.
Vulnerability Details
- CVE: CVE-2021-20035
- Severity (CVSS v3.1): 7.2 (High)
- Attack Vector: Remote
- Prerequisites: Authenticated access with low privileges
- Impact: Remote Code Execution (RCE) as a “nobody” user
- Affected Versions:
- Versions up to 10.2.1.0-17sv, 10.2.0.7-34sv, and 9.0.0.10-28sv
- Versions up to 10.2.1.0-17sv, 10.2.0.7-34sv, and 9.0.0.10-28sv
Originally patched in September 2021, this flaw was initially thought to allow denial-of-service (DoS) attacks. However, SonicWall has updated its advisory, confirming that exploitation can in fact lead to arbitrary command execution, significantly elevating the risk profile.
Threat Activity
SonicWall and CISA have both confirmed that threat actors are currently leveraging this vulnerability in the wild. The flaw stems from improper neutralization of special elements in the SMA100 management interface, allowing attackers to inject malicious OS commands.
Federal agencies in the U.S. have until May 7, 2025 to apply mitigations under Binding Operational Directive (BOD) 22-01. While this directive applies to federal networks, we strongly advise all organizations using SonicWall appliances to take immediate action.
Recommended Actions
- Patch Immediately: Upgrade to a fixed version as listed in SonicWall’s advisory.
- Audit VPN Access Logs: Investigate signs of unauthorized or anomalous remote access.
- Segment Network Access: Ensure that access to the SMA management interface is limited and monitored.
- Apply Web Application Firewalls (WAF) and hardening measures to reduce attack surface.
Why It Matters
Exploiting VPN and secure access appliances is a high-return tactic for threat actors, offering a foothold into sensitive internal networks. Attackers are known to chain such flaws with post-authentication privilege escalation or lateral movement techniques.
At OP Innovate, we continue to monitor this CVE and associated activity across dark web chatter and breach reports. Organizations using SonicWall SMA devices should consider this vulnerability as high-priority for remediation and incident response validation.
If you suspect compromise or need help with threat detection and triage, our Incident Response team is available 24/7.
