Blog

Critical SonicWall VPN Vulnerabilities Actively Exploited: Immediate Patch Required

sonicwall

SonicWall has issued an urgent security advisory addressing multiple critical vulnerabilities in its Secure Mobile Access (SMA) series. These flaws—now confirmed to be actively exploited—pose a serious risk to organizations relying on SonicWall's SSL VPN appliances to secure remote access.

What’s at Stake?

Three vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) have been disclosed affecting the following SMA appliances:

  • SMA 200

  • SMA 210

  • SMA 400

  • SMA 410

  • SMA 500v

When chained together, these vulnerabilities can allow an attacker with valid SSL VPN user credentials to execute arbitrary code with root privileges. This grants full system control and could be used to pivot into internal networks, exfiltrate data, or deploy ransomware.

Breakdown of the Exploits:

  • CVE-2025-32819: Enables attackers to delete the primary SQLite database and reset the admin password, giving them admin access to the web interface.

  • CVE-2025-32820: A path traversal vulnerability that makes the /bin directory writable.

  • CVE-2025-32821: Allows an attacker to write and execute malicious files as root within the system directory.

According to Rapid7, at least one of these vulnerabilities is being exploited in the wild, with activity observed during incident response engagements.

What Should You Do?

SonicWall is urging all organizations to take the following actions immediately:

  1. Patch Your Devices:
    Upgrade to firmware version 10.2.1.15-81sv or later on all affected SMA appliances.

  2. Audit Your Logs:
    Review logs for signs of suspicious access or configuration changes.

  3. Harden Authentication:
    Enforce Multi-Factor Authentication (MFA) for all remote users and administrative interfaces.

  4. Enable Web Application Firewall (WAF):
    If supported, enable WAF capabilities to help detect and block potential exploitation attempts.

Why This Matters

VPN appliances are a favorite target for attackers because they often sit on the edge of the network and provide a direct entry point into sensitive systems. With threat actors actively exploiting these flaws, failure to act could result in a full compromise of your internal network.

If you're using SonicWall SMA products, patch now—assume compromise until proven otherwise.

References: