Sonicwall has urged its customers to patch three security weaknesses affecting their safe mobile access (SMA) equipment, one of them tagged as exploitation in attacks.
Rapid7 Cyber Safety Researcher Ryan EMMons discovered and reported, three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chased by the attackers to receive the distance and compromise distinctions by the attackers to receive the remote codes.
Weaks affect SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500 V device and are patched in the firmware versions 10.2.1.15-81SV and higher.
“Sonicwall SMA 100 series products (SMA 200, 210, 400, 410, and 500V) firmly advise users to upgrade in a fixed release version mentioned to address these weaknesses,” Sonicwal said In a Wednesday advisor.
Successful exploitation of CVE-2025-32819 allows danger to remove the primary sqlite database, reset the password of the default SMA administrator user and log in as an administrator in the SMA web interface. Subsequently, they can exploit CVE-2025-32820 path traversal vulnerability /to write bin folders and then exploit CVE-2025-32821 to get distant code execution in the form of root by exploiting CVE-2025-32821.
“An attacker with access to an SMA SSLVPN user account to make these weaknesses a sensitive system directory, can elevate its privileges to the SMA administrator, and write an executable file for a system directory. This series gives results in root-level remote code execution,” Rapid 7 said,
“Known (Private) IOC and Rapid 7 Based on the event response investigation, we believe that this vulnerability can be used in the wild.”
Sonicwall advised admins to check the logs of their SMA devices for any indication of unauthorized login and enable web apps firewall and multiplector authentication (MFA) on their SMA100 devices as safety measures.
Last week, Sonicwall warned the customers that two other weaknesses (Cve-2023-44221 And Cve-2024-38475) To affect SMA devices, now is actively exploited in attacks to inject the command and execute the code from remotely.
The company explained another high-seriousness blame (Cve-2021-20035) In April, exploitation was done in distance code execution attacks targeting Sma100 VPN devices. A day later, Cyber Security Company Arctic Wolf revealed that the security bug was under active exploitation since at least January 2025.
In January, Sonicwall also urged to patch a significant defect in the exploited SMA1000 safe access gateway in zero-day attacks, and a month later a month later a monthly exploited authentication bypass defect has warned to influence Jean 6 and General 7 Firewalls that horses hackers to VPN sessions.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
