CISA urges action to protect against possible Oracle Cloud threats tied to hardcoded credentials, as breach claims spark concern and lawsuits.
SonicWall said CVE-2021-20035 stems from improper neutralization of special elements in the SMA100 management interface. If exploited, a threat actor could remotely inject arbitrary commands as a “nobody” user, which could lead to code execution.
The vulnerability was discovered and reported by Wenxu Yin, a security researcher with Qihoo 360 Technology Co. in Beijing, China.
With the addition to CISA’s KEV catalog, federal civilian executive branch agencies have until May 7 to either patch their SonicWall appliances or discontinue use of the product if mitigations cannot be applied.
A SonicWall spokesperson told Cybersecurity Dive the vendor is actively investigating the scope and details of the exploitation.
“The threat activity was reported by a trusted SonicWall security partner. While the vulnerability affects SMA100 devices running older firmware, we continue to urge customers to follow the mitigation steps outlined in our advisory and upgrade to the latest firmware as a best practice. Security hygiene, patching, and timely firmware updates are key to protection, and we remain committed to transparency and partner engagement as threats evolve,” the spokesperson said in an email.
Also Read: Explained: Zero Data Retention
SonicWall vulnerabilities have been popular targets for a variety of threat actors in recent years as both cybercriminals and nation-state attackers have shifted focus to edge devices such as VPNs and firewalls. For example, in February CISA added CVE-2024-53704, an improper authentication vulnerability in the SSL VPN mechanism of the vendor’s firewalls, to the KEV catalog. Censys later reported that more than 450 vulnerable firewalls were exposed to the public internet.
