SonicWall has urged its clients to patch three safety vulnerabilities affecting its Safe Cell Entry (SMA) home equipment, one in every of them tagged as exploited in assaults.
Found and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three safety flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) could be chained by attackers to achieve distant code execution as root and compromise weak cases.
The vulnerabilities impression SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v units and are patched in firmware model 10.2.1.15-81sv and better.
“SonicWall strongly advises customers of the SMA 100 sequence merchandise (SMA 200, 210, 400, 410, and 500v) to improve to the talked about mounted launch model to deal with these vulnerabilities,” SonicWall mentioned in a Wednesday advisory.
Profitable exploitation of CVE-2025-32819 permits risk actors to delete the first SQLite database, reset the password of the default SMA admin person, and log in as admin to the SMA internet interface. Subsequent, they’ll exploit the CVE-2025-32820 path traversal vulnerability to make the /bin folder writable after which acquire distant code execution as root by exploiting CVE-2025-32821.
“An attacker with entry to an SMA SSLVPN person account can chain these vulnerabilities to make a delicate system listing writable, elevate their privileges to SMA administrator, and write an executable file to a system listing. This chain leads to root-level distant code execution,” Rapid7 mentioned.
“Based mostly on identified (non-public) IOCs and Rapid7 incident response investigations, we imagine this vulnerability could have been used within the wild.”
SonicWall suggested admins to verify their SMA units’ logs for any indicators of unauthorized logins and allow the net utility firewall and multifactor authentication (MFA) on their SMA100 home equipment as a security measure.
Final week, SonicWall warned clients that two different vulnerabilities (CVE-2023-44221 and CVE-2024-38475) affecting SMA home equipment are actually actively exploited in assaults to inject instructions and execute code remotely.
The corporate flagged one other high-severity flaw (CVE-2021-20035) as exploited in distant code execution assaults concentrating on SMA100 VPN home equipment in April. At some point later, cybersecurity firm Arctic Wolf revealed the safety bug had been below lively exploitation since no less than January 2025.
In January, SonicWall additionally urged admins to patch a essential flaw in SMA1000 safe entry gateways exploited in zero-day assaults, and one month later warned of an actively exploited authentication bypass flaw impacting Gen 6 and Gen 7 firewalls that lets hackers hijack VPN classes.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend in opposition to them.
