Threat Research

Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)

Rapid7
Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)
EXTRACT IOC
In April 2025, Rapid7 disclosed three critical vulnerabilities in SonicWall SMA 100 series appliances allowing low-privileged attackers to escalate privileges, delete critical files, and achieve root remote code execution. Patches were released promptly to fix these issues. (Affected: SonicWall SMA appliances, enterprise VPN users)

Keypoints :

  • Three high-impact vulnerabilities (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821) affect SonicWall SMA 100 series appliances.
  • Vulnerabilities allow authenticated low-privileged SMA users to escalate to administrator and root access.
  • CVE-2025-32819 enables arbitrary file deletion as root, including deleting the admin SQLite database to reset passwords.
  • CVE-2025-32820 allows path traversal to make any directory world-writable and overwrite files causing persistent DOS.
  • CVE-2025-32821 permits arbitrary file upload with administrator rights via shell command injection bugs.
  • Attackers can chain these vulnerabilities to achieve root-level remote code execution with a reverse shell.
  • Exploitation requires only a valid SMA SSLVPN user account and no initial admin privileges.
  • Rapid7 coordinated disclosure with SonicWall, who released patches in version 10.2.1.15-81sv.
  • InsightVM and Nexpose customers can assess exposure with updated scan content from May 7, 2025.
  • The flaws were actively exploited in the wild prior to patch release, based on private IOCs and incident response.

MITRE Techniques :

  • Valid Accounts (T1078) – Exploitation begins with access to a valid SMA SSLVPN user account with low privileges.
  • Path Traversal (T1106) – CVE-2025-32820 allows injection of path traversal sequences to alter directory permissions.
  • Arbitrary File Deletion (T1107) – CVE-2025-32819 permits deletion of critical files as root to escalate privileges.
  • Privilege Escalation (T1068) – Chaining vulnerabilities allows escalation from low user privileges to root.
  • Abuse Elevation Control Mechanism (T1548) – Bypass of authorization checks to execute commands with root privileges.
  • Command Injection (T1059) – Shell command injection in CVE-2025-32821 to upload executable files.
  • Persistence (T1053) – Leveraging scheduled automated execution of the uploaded executable to maintain access.
  • Exfiltration Over C2 Channel (T1041) – Ability to copy sensitive files like /etc/passwd to attacker-controlled locations.
  • Remote Code Execution (T1203) – Achieving root-level remote code execution through chained exploits.
  • Exploit Public-Facing Application (T1190) – Targets SonicWall SMA web services accessible over HTTP/HTTPS.

Indicator of Compromise :

  • The article includes session cookie strings (e.g., values of “swap” and “swcctn”) utilized for unauthorized authenticated requests.
  • HTTP request patterns targeting vulnerable API endpoints like /fileshare/sonicfiles and /cgi-bin/importlogo used to exploit file operations.
  • Examples of payloads with path traversal sequences in parameters and file names indicating exploitation attempts.
  • File operations involving unusual chmod 777 commands on sensitive paths such as /bin and /usr/src/EasyAccess directories.
  • Logs showing root commands executed post-exploitation confirming compromises, such as moving or deleting key files and uploading executables.

Read more: https://blog.rapid7.com/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/

Views: 37

Tags: PERSISTENCE, IMPACT, MONITOR, VULNERABILITY, WINDOWS, EXPLOIT, EXFILTRATION, VPN