SonicWall has released patches for three vulnerabilities affecting its Secure Mobile Access (SMA) 100 series, one of which may be a zero-day
that could enable remote code execution when exploited in combination.
The flaws, identified as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, were discovered by Rapid7 researchers in April 2025. These issues affect the SSLVPN feature of SMA 100 devices and can be chained by an attacker with user-level access to gain administrative privileges and execute arbitrary code remotely.
CVE-2025-32819, which has a CVSS score of 8.8, allows a remote attacker with authenticated SSLVPN user access to bypass path traversal checks and delete arbitrary files. According to SonicWall’s advisory, this could result in the device resetting to factory default settings.
CVE-2025-32820 is rated 8.3 on the CVSS scale and involves a path traversal vulnerability that allows an authenticated user to make any directory on the SMA appliance writable via SSLVPN.
CVE-2025-32821, with a CVSS score of 6.7, is a command injection vulnerability affecting admin users. An attacker with admin-level SSLVPN access can inject shell command arguments to upload a file to the appliance.
Rapid7 reports that these three vulnerabilities can be combined into a full exploit chain. By starting with a low-privilege user session, an attacker could delete the admin credentials database to reset the password, change directory permissions to allow writing to critical system paths such as /bin, and ultimately upload and run a malicious payload. This chain of actions can lead to full remote code execution with root privileges.
The vulnerabilities have been addressed in SonicWall SMA firmware version 10.2.1.15-81sv. SonicWall recommends that all affected users update their devices to this version immediately.
Rapid7 warns that these vulnerabilities may have already been exploited in the wild. Based on internal indicators of compromise and results from recent incident response activities, they suspect that attackers have used this exploit chain in real-world attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
