(TLP:CLEAR) Possible Zero-Day Patched in SonicWall Secure Mobile Access 100 Series Devices

Summary: In April of 2025, Rapid7 discovered and disclosed three new vulnerabilities affecting SonicWall Secure Mobile Access (“SMA”) 100 series appliances (SMA 200, 210, 400, 410, 500v). These vulnerabilities are tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821. An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution.

Analyst Note: Of special note for members is CVE-2025-32819, which Rapid7 states “Based on known (private) IOCs and Rapid7 incident response investigations, we believe this vulnerability may have been used in the wild.” While this CVE is only the first in a series of three vulnerabilities that would need to be exploited in order to achieve root-level remote code execution, members are still encouraged to scan their organization’s network to see if they are utilizing these devices and apply the appropriate patches.

Original Source: https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/

Additional Reading:

• Possible Zero-Day Patched in SonicWall SMA Appliances | Security Week

Related WaterISAC PIRs: 6, 8