SonicWall Urges Users to Patch Critical Vulnerabilities in SMA Appliances Amid Exploited Attacks

SonicWall is urging its customers to act quickly and patch three critical vulnerabilities found in its Secure Mobile Access (SMA) appliances, one of which is already being actively exploited. The flaws—discovered by cybersecurity researcher Ryan Emmons from Rapid7—can allow attackers to gain full control over vulnerable devices, potentially causing severe damage. Here’s what you need to know.

Security Flaws Expose Devices to Remote Code Execution

The vulnerabilities, identified as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, are severe and can be chained together to give attackers remote code execution (RCE) access with root privileges. These flaws affect several devices within the SMA product line, including the SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v models. SonicWall has released a fix for these vulnerabilities in firmware version 10.2.1.15-81sv and higher.

With these vulnerabilities, threat actors can bypass several security layers. For instance, CVE-2025-32819 can be exploited to delete critical system files, reset the default admin password, and log in to the SMA web interface. From there, attackers can chain the vulnerability with CVE-2025-32820, which involves path traversal and enables attackers to make critical system directories writable. Finally, by exploiting CVE-2025-32821, attackers can achieve root-level access and execute malicious code on the device.

This chain of attacks allows hackers to take full control of an affected device, posing an enormous risk for organizations that rely on these appliances for secure mobile access.

SonicWall’s Urgency: Patch Now to Prevent Breaches

SonicWall strongly advises all users of affected SMA 100 series products to upgrade to the fixed firmware version (10.2.1.15-81sv or higher). The company issued a stern warning in a Wednesday advisory, urging administrators to act immediately to patch these flaws. It’s critical that users not delay, as the risks are substantial.

“We strongly advise users of the SMA 100 series products to upgrade to the fixed release version to address these vulnerabilities,” the company stated. SonicWall is also recommending users check their device logs for any signs of unauthorized logins and enable additional security measures like a web application firewall and multi-factor authentication (MFA) as a precautionary step.

While SonicWall has addressed these vulnerabilities, the situation remains fluid. Rapid7’s incident response team has reported that these flaws may already be used in the wild, confirming that these vulnerabilities are being exploited in live cyberattacks.

Chain of Exploits Triggers Remote Code Execution

Here’s how the exploitation chain works. Attackers initially gain access to an SMA SSLVPN user account, which provides a basic entry point. From there, the attacker can exploit the CVE-2025-32819 flaw to delete the critical SQLite database, allowing them to reset the default admin password and log in to the web interface. Once logged in, they can then take advantage of the CVE-2025-32820 flaw, which allows the attacker to make the /bin folder writable.

With the folder writable, attackers can finally exploit CVE-2025-32821 to execute arbitrary code as root. The result? Complete control of the SMA appliance, giving attackers the ability to install malware, steal data, or disrupt operations entirely.

The combination of these flaws is extremely dangerous, especially since the vulnerabilities allow for remote execution of code with root privileges. Once in control, the attacker can essentially do anything with the affected device, from installing malicious software to extracting sensitive data. This creates a perfect storm for cybercriminals looking for easy targets.

More Vulnerabilities Plague SMA Appliances

This is not the first time SonicWall has issued an urgent patch alert for its SMA appliances. In fact, only last week, the company issued a warning about two other vulnerabilities, CVE-2023-44221 and CVE-2024-38475, which were also being actively exploited. These flaws allow attackers to inject commands and execute code remotely, making it easy for cybercriminals to hijack devices for malicious purposes.

It’s worth noting that SonicWall had previously flagged another high-severity flaw, CVE-2021-20035, which was also exploited in attacks targeting SMA100 appliances in April. And in January, the company issued another warning regarding a zero-day flaw impacting SMA1000 secure access gateways, urging users to patch their devices before they become targets of an attack.

Cybersecurity experts have been urging companies to remain vigilant, as cybercriminals have become increasingly adept at exploiting vulnerabilities in widely-used devices. SonicWall’s constant stream of warnings about these flaws underscores the severity of the situation. Administrators should not wait for an attack to happen before taking action.

What You Can Do Now

If you’re a user of SonicWall SMA appliances, here are a few things you can do right now to secure your devices:

• Upgrade to firmware version 10.2.1.15-81sv or higher

• Check logs for signs of unauthorized login attempts

• Enable multi-factor authentication (MFA) on all SMA devices

• Turn on a web application firewall to add an extra layer of protection

• Review your network’s security policies to ensure they are up to date

In addition to these recommendations, keeping your firmware up to date is the most important step to prevent attackers from exploiting these vulnerabilities. It’s also a good idea to keep an eye on security advisories from SonicWall and other vendors to stay ahead of any emerging threats.