12 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
SonicWall SMA100 Arbitrary File Deletion Vulnerability
CVSS Score: 8.8 (High)
Identifier: CVE-2025-32819
Exploit or POC: Yes – https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/
Update: CVE-2025-32819 – SonicWall Security Advisory
Description: CVE-2025-32819 is a high-severity vulnerability affecting SonicWall's Secure Mobile Access (SMA) 100 series appliances, including models 200, 210, 400, 410, and 500v. The flaw arises from improper input validation, allowing a remote authenticated attacker with SSLVPN user privileges to bypass path traversal checks and delete arbitrary files. Exploitation of this vulnerability can lead to a reboot to factory default settings, potentially resulting in unauthorized access and system compromise. This vulnerability is part of a chain that includes CVE-2025-32820 and CVE-2025-32821, which together can be exploited to gain root-level access to the device. Rapid7 has reported that CVE-2025-32819 may have been exploited in the wild as a zero-day based on known indicators of compromise and incident response investigations.
Mitigation Recommendation: SonicWall has addressed this vulnerability in firmware version 10.2.1.15-81sv and later. Administrators are strongly advised to update affected SMA 100 series devices to this version or newer. Additionally, enabling multifactor authentication (MFA) and the built-in web application firewall (WAF) can provide further protection against exploitation.
Note: Given the potential for this vulnerability to be exploited in conjunction with others for full system compromise, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
SonicWall SMA100 Path Traversal Vulnerability
CVSS Score: 8.3 (High)
Identifier: CVE-2025-32820
Exploit or POC: Yes – https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/
Update: CVE-2025-32820 – SonicWall Security Advisory
Description: CVE-2025-32820 is a high-severity vulnerability affecting SonicWall's Secure Mobile Access (SMA) 100 series appliances, including models 200, 210, 400, 410, and 500v. The flaw arises from improper input validation, allowing a remote authenticated attacker with SSLVPN user privileges to inject a path traversal sequence. This can make any directory on the SMA appliance writable, potentially leading to unauthorized modifications and escalating to remote code execution when chained with other vulnerabilities. This vulnerability is part of a chain that includes CVE-2025-32819 and CVE-2025-32821, which together can be exploited to gain root-level access to the device.
Mitigation Recommendation: SonicWall has addressed this vulnerability in firmware version 10.2.1.15-81sv and later. Administrators are strongly advised to update affected SMA 100 series devices to this version or newer. Additionally, enabling multifactor authentication (MFA) and the built-in web application firewall (WAF) can provide further protection against exploitation.
Note: Given the potential for this vulnerability to be exploited in conjunction with others for full system compromise, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
SonicWall SMA100 Remote Command Injection Vulnerability
CVSS Score: 6.7 (Medium)
Identifier: CVE-2025-32821
Exploit or POC: Yes – https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/
Update: CVE-2025-32821 – SonicWall Security Advisory
Description: CVE-2025-32821 is a medium-severity vulnerability affecting SonicWall's Secure Mobile Access (SMA) 100 series appliances, including models 200, 210, 400, 410, and 500v. The flaw arises from improper input validation, allowing a remote authenticated attacker with SSLVPN admin privileges to inject shell command arguments to upload a file on the appliance. This vulnerability can be exploited in conjunction with CVE-2025-32819 and CVE-2025-32820 to achieve root-level remote code execution. An attacker can exploit CVE-2025-32819 to delete critical files and elevate privileges to administrator, then use CVE-2025-32820 to make system directories writable, and finally leverage CVE-2025-32821 to write an executable file that the system would automatically execute with root privileges.
Mitigation Recommendation: SonicWall has addressed this vulnerability in firmware version 10.2.1.15-81sv and later. Administrators are strongly advised to update affected SMA 100 series devices to this version or newer. Additionally, enabling multifactor authentication (MFA) and the built-in web application firewall (WAF) can provide further protection against exploitation.
Note: Given the potential for this vulnerability to be exploited in conjunction with others for full system compromise, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
