Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



SonicWall Customers Warned of Possible Attacks Exploiting Recent Vulnerability

Hackers have started targeting a recently patched vulnerability affecting SonicWall’s Secure Mobile Access (SMA) 100 series appliances, and while the attacks observed to date do not appear to have been successful, that could soon change.

Hackers have started targeting a recently patched vulnerability affecting SonicWall’s Secure Mobile Access (SMA) 100 series appliances, and while the attacks observed to date do not appear to have been successful, that could soon change.

The security flaw in question is CVE-2021-20038, a critical remote code execution vulnerability that SonicWall patched in December alongside several other issues impacting SMA 100 series products.

CVE-2021-20038 is a stack-based buffer overflow that can allow attackers to take complete control of a device or virtual machine running an SMA appliance.

Rapid7, whose researchers discovered the vulnerability, disclosed details earlier this month, and at least one proof-of-concept (PoC) exploit has been released by others.

Rich Warren, principal security consultant at NCC Group, warned this week that they had started seeing in-the-wild attempts to exploit CVE-2021-20038.

“The attempts so far appear to be opportunistic, non-targeted in nature and likely from unsophisticated attackers,” Warren told SecurityWeek. “So far the attacks have been unsuccessful, however as proven by the publicly available exploit and Rapid7’s write up, the vulnerability is exploitable in a real-world scenario. The exploit detailed by Rapid7 requires around 250,000 requests. So far we’ve only seen handfuls of around 3 or 4 requests at a time.”

Warren added, “In the worst case scenario, this would allow the attacker to gain remote access to the underlying VPN appliance, and the internal network access that comes with that. While the advisory states that code execution would be achieved under the ‘nobody’ user, escalation to ‘root’ is trivial, at which point the attacker would have full unfettered access to the operating system.”

Advertisement. Scroll to continue reading.

SonicWall told SecurityWeek that its PSIRT is actively monitoring activity against all critical vulnerabilities and it has not observed any successful exploitation attempts targeting CVE-2021-20038. The company also pointed out that currently there are no reports of successful exploitation.

“SonicWall patched the vulnerability in early December 2021 and communicated guidance to any impacted customers or partners. SonicWall continues to urge all organizations, regardless of security products, to be consistent and thorough in patching policy and execution,” the company said in a statement.

The United States, Japan and Australia have issued warnings about the vulnerability.

Warren also highlighted that in addition to attacks targeting CVE-2021-20038, they have seen password spraying activity aimed at SonicWall appliances. Attackers are hoping that administrators have failed to change default passwords, which would enable them to gain admin access to the web application.

“There were several post-authentication RCE vulnerabilities also patched in the same update, so it’s likely that attackers are hoping to first gain admin access through password spraying before exploiting one of the post-auth vulnerabilities, which again would give them code execution on the device,” the researcher warned.

It’s not uncommon for malicious actors to target SonicWall products. Threat groups have been known to exploit both old and new vulnerabilities in their operations.

Related: SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

Related: SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws

Related: SonicWall Patches Critical Vulnerability in SMA Appliances

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.