An old security flaw in SonicWall’s SMA 100 series is back in the spotlight. Although the vulnerability was patched in 2021, it’s now being used in live attacks, prompting an urgent warning from SonicWall and a new alert from CISA.
Old Bug, New Threat
SonicWall has updated its advisory for a flaw known as CVE-2021-20035. This vulnerability affects SMA models 200, 210, 400, 410, and 500v running outdated software versions. When first patched in 2021, it carried a medium severity score of 5.5 and required authentication to exploit. As a result, many overlooked the fix.
Now, SonicWall says the flaw is actively exploited in the wild. They’ve bumped its rating to a high severity score of 7.2. The bug allows remote attackers to run commands on a device, using a low-privilege account called “nobody.” That’s possible because of improper input handling in the device’s management interface.
Exploits May Involve a Second Vulnerability
There are no public reports yet showing how attackers are exploiting this bug. But since it requires authentication, researchers suspect another vulnerability might be involved—possibly a zero-day or a known flaw used to gain access.
The bug was originally reported by Alpha Lab, a security team at Chinese firm Qihoo 360. This group is known for discovering serious flaws in enterprise products. However, it’s unclear who discovered that the bug is now being exploited.
Security researchers aren’t surprised by the news. The SMA 100 series has long been a target for attackers. Many past incidents involved zero-day vulnerabilities in the same product line.
As of this week, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog. The database now lists over a dozen SonicWall flaws, with several tied to the SMA 100 series.
What to Do Now
If your organization still uses SMA 100 appliances, check your firmware versions. Patches are already available, but many systems may have missed them due to the flaw’s initial low severity rating. Now, the threat is real—and urgent.
