Sonicwall: High-risk gaps in SSL VPN of the SMA100 series
Sonicwall warns of security vulnerabilities in SMA100 firewalls. IT researchers reveal chain of vulnerabilities and take over devices.
(Image: Sonicwall)
IT researchers have discovered new vulnerabilities in the Sonicwall SMA100 firewalls. By linking several of the vulnerabilities classified as high-risk, attackers can take control of vulnerable devices.
The Sonicwall developers describe the vulnerabilities in a security release. They have classified a vulnerability in the SSL VPN as the most serious, through which attackers from the network can bypass a path check for path traversal after logging in and thus delete any files. This allows SMA100 devices to be reset to factory settings, which become active after a restart (CVE-2025-32819 / EUVD-2025-13910, CVSS 8.8, risk "high"). The vulnerability only narrowly misses being classified as a "critical" risk.
Due to a second vulnerability, registered attackers can inject a path traversal sequence from the network with user rights and thus make any directory on SMA100 appliances writable (CVE-2025-32820 / EUVD-2025-13913, CVSS 8.3, risk "high"). The third vulnerability allows malicious actors from the network with SSL VPN admin rights to smuggle in command line commands as arguments when uploading files to the appliances (CVE-2025-32821 / EUVD-2025-13911, CVSS according to EUVD 7.1, risk "high").
Device takeover through a combination of vulnerabilities
The IT security researchers at Rapid7 have analyzed the vulnerabilities in more detail and poured their findings into a detailed blog post. They show how they link the security leaks to make an important system directory writable with access to an SSL VPN account, elevate their rights to SMA admin and write an executable file to a system directory. This allows them to inject and execute arbitrary code from the network – with "root" privileges.
Videos by heise
The Sonicwall appliances of the SMA100 series are affected, specifically the SMA 200, 210, 400, 410 and 500v. They are vulnerable with firmware versions 10.2.1.14-75sv or older. The problem is solved by updating the firmware to version 10.2.1.15-81sv and newer.
IT managers are strongly advised to install the updates quickly. In the past three weeks alone, waves of attacks on several older vulnerabilities in the SMA100 series have become known.
(dmk)
