Cybersecurity firm Arctic Wolf has confirmed that a remote code execution (RCE) vulnerability in SonicWall Secure Mobile Access (SMA) appliances has been actively exploited since January 20251. The flaw, tracked as CVE-2021-20035, allows authenticated attackers to execute arbitrary commands via the SMA management interface. This campaign primarily targets MSPs and critical infrastructure, with attackers leveraging default credentials and credential stuffing techniques2.
Technical Breakdown of the Vulnerability
CVE-2021-20035 (CVSS 7.2) is a command injection flaw in the SMA100 series management interface. Attackers exploit it by injecting commands through the /cgi-bin/viewcert endpoint using crafted curl requests. A publicly available proof-of-concept demonstrates exploitation via:
curl -k "https://<TARGET>/cgi-bin/viewcert?type=;id" --user "admin@LocalDomain:password"Affected firmware versions include all releases ≤10.2.1.0-17sv for SMA 200/210/400/410/500v devices3. Successful exploitation grants attackers administrative access, often followed by Cobalt Strike beacon deployment for lateral movement4.
Detection and Mitigation Strategies
SonicWall released patched firmware (10.2.1.1-19sv) in April 2025. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 16, with a federal patching deadline of May 75. For detection, security teams can implement this Sigma rule:
title: SonicWall SMA Suspicious Command Execution
logsource:
product: sonicwall
service: sma
detection:
keywords:
- "/cgi-bin/viewcert?type=*;*"
- "admin@LocalDomain"
condition: keywordsNetwork defenders should prioritize:
- Immediate patching of SMA appliances
- Auditing for unusual API requests to
/cgi-bin/viewcert - Monitoring for Cobalt Strike C2 traffic
Broader Threat Landscape Context
This campaign shares Tactics, Techniques, and Procedures (TTPs) with recent attacks against Oracle Cloud and Hertz, where credential theft enabled lateral movement6. The timing coincides with increased scrutiny of Chinese network infrastructure, with 35 countries routing mobile traffic through Chinese-operated systems7.
For security professionals, this incident underscores the need for:
- Strict credential rotation policies
- Network segmentation for VPN appliances
- Behavioral monitoring of administrative interfaces
Conclusion
The SonicWall SMA exploitation campaign demonstrates how older vulnerabilities resurface in targeted attacks when paired with credential reuse. Organizations using affected devices should treat this as a critical remediation priority given the active exploitation window and potential for significant network compromise.
References
- Arctic Wolf Report on SonicWall SMA Exploitation, 2025.
- SonicWall Advisory SNWLID-2021-0010, 2021.
- CISA KEV Catalog Update, April 16, 2025.
- Reddit Thread on Cobalt Strike TTPs, 2025.
- CyberScoop: Chinese Network Risks, 2025.
- The Record: Hertz Breach Analysis, 2025.
