SonicWall has patched three critical vulnerabilities in its Secure Mobile Access (SMA) 100 Series appliances after confirming that at least one has been exploited in the wild. This follows a string of recent security incidents involving the vendor’s edge devices, raising serious concerns for organizations relying on these gateways for remote network access.
As seen with previous breaches affecting Ivanti and Fortinet, SonicWall has faced mounting challenges this year. In January, February, and April, actively exploited vulnerabilities surfaced. On top of that, the Cybersecurity and Infrastructure Security Agency (CISA) recently added two past SonicWall flaws to its Known Exploited Vulnerabilities (KEV) catalog.
On May 7, SonicWall released a new security advisory highlighting three high-severity flaws—CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821—which affect multiple SMA 100 Series models, including SMA 200, 210, 400, 410, and 500v running firmware version 10.2.1.14-75sv or earlier.
Breaking Down the Exploit Chain
The most critical of the three, CVE-2025-32819, carries a CVSS score of 8.8. It stems from an earlier vulnerability first identified in 2021 by NCC Group. At the time, SonicWall applied a basic patch that required authentication but didn’t fix the underlying flaw—an oversight now being exploited.
Security researcher Ryan Emmons from Rapid7 explains, “This kind of patching is common when there’s pressure to release quick fixes. The original flaw allowed arbitrary file deletion even without login. While SonicWall added an authentication step, they left the root issue untouched.”
Now, with a low-privilege user account—possibly obtained through weak credentials or leaks on the Dark Web—an attacker can delete the device’s SQLite database. This causes the appliance to reboot and reset the default admin password to “password,” giving attackers full control.
From there, they can exploit CVE-2025-32820 (CVSS 8.3) to make directories on the appliance writable by anyone. This is followed by CVE-2025-32821 (CVSS 7.1), which allows the attacker to drop and execute a malicious file at the system root level.
Why SonicWall Devices Are High-Value Targets
SonicWall SMA devices are commonly used in enterprise environments to enable secure remote access. Their broad network privileges and exposure make them ideal targets for attackers. Unfortunately, these devices often lack endpoint protections found on standard desktops or servers.
“The target is juicy and the visibility is lacking,” Emmons notes. “That’s not a great combination.”
According to Rapid7, indicators of compromise (IoCs) suggest that this SonicWall vulnerability exploit chain has already been used in real-world attacks. Attackers are leveraging these flaws to silently gain control over enterprise infrastructure.
Mitigation and Prevention Measures
To protect against these exploits, SonicWall strongly advises customers to immediately upgrade their firmware to version 10.2.1.15-81sv. Additional recommendations include:
- Enabling Web Application Firewall (WAF) features.
- Reviewing login activity for suspicious behavior.
- Implementing multifactor authentication (MFA) on the device or through an organizational directory service.
Caitlin Condon, Director of Vulnerability Intelligence at Rapid7, emphasizes the pressure vendors face: “Organizations expect quick and precise patches. SonicWall’s response isn’t unusual, but the stakes are higher when critical access gateways are involved.”
Given the rise in sophisticated attacks on edge devices, IT teams must stay alert. Frequent vulnerability disclosures, rapid patching, and proactive configuration checks are now essential for defending against the next SonicWall vulnerability exploit—and others sure to come. continue to pose a real-world threat to enterprise security.
