Do Son 
SonicWall has addressed three critical vulnerabilities in its Secure Mobile Access (SMA) 100 series devices, flaws that allowed attackers to execute arbitrary code with root privileges. Given the widespread use of these devices in corporate environments to facilitate secure VPN access, the risks associated with these vulnerabilities were deemed exceptionally severe.
The most dangerous of the three is CVE-2025-32819, which received a CVSS score of 8.8. This vulnerability enables users with SSL-VPN access to bypass path validation and delete arbitrary files, potentially resetting the device to factory settings. Experts at Rapid7 believe this flaw represents a bypass of a previously patched vulnerability first disclosed by NCC Group in December 2021.
The second vulnerability, CVE-2025-32820, scored at 8.3, allows an attacker to exploit a path traversal flaw to make any directory on the device writable. The third issue, CVE-2025-32821, with a CVSS score of 6.7, permits an SSL-VPN administrator to inject command-line arguments and upload files to the device.
Rapid7 researchers demonstrated that these three vulnerabilities can be chained together in a coordinated attack. An adversary who gains access to an SSL-VPN account can write data into sensitive system directories, escalate privileges to the SMA administrator level, and ultimately upload and execute a malicious payload—achieving complete control over the device.
Although SonicWall has not confirmed any in-the-wild exploitation of these vulnerabilities, researchers have observed indicators of compromise and suspect that CVE-2025-32819 may have already been weaponized as a zero-day.
The vulnerabilities affect the SMA 200, 210, 400, 410, and 500v models. All issues have been resolved in firmware version 10.2.1.15-81sv. In light of recent attacks targeting SMA 100 devices—including active exploitation of vulnerabilities such as CVE-2021-20035, CVE-2023-44221, and CVE-2024-38475—administrators are strongly urged to update their systems without delay.
Donate