Yet another SonicWall SMA100 vulnerability exploited in the wild (CVE-2025-32819)

SonicWall has fixed multiple vulnerabilities affecting its SMA100 Series devices, one of which (CVE-2025-32819) appears to be a patch bypass for an arbitrary file delete vulnerability that was exploited in zero-day attacks in early 2021, and may have also been leveraged in the wild.

The vulnerabilities and the attack chain

Sonicwall SMA100 Series appliances provide a unified secure access (VPN) gateway for small and medium-size businesses, and are regularly targeted by attackers.

Reported by Rapid7 researcher Ryan Emmons, two of the fixed vulnerabilities allow a remote attacker who is able to log in with a low-privilege SMA user account to delete an arbitrary file (CVE-2025-32819) and inject a path traversal sequence to any directory on the SMA appliance to make it writable (CVE-2025-32820).

CVE-2025-32821 can only be exploited by a remote attacker who has achieved admin privileges on the device, and can be used to inject shell command arguments to upload a file on the appliance.

In a write-up released on Wednesday, Emmons has demonstrated how the three vulnerabilities could be leveraged in a sequence that ends with the attacker gaining root-level remote code execution on a vulnerable SMA device:

• CVE-2025-32819 can be exploited remotely to delete the primary SQLite database, which will trigger a system reboot to factory default settings and thus reset the password of the default SMA admin user to “password”
• After logging in as admin to the SMA web interface, CVE-2025-32820 can be exploited to make a specific directory writable
• CVE-2025-32821 can be leveraged to write a malicious executable file into the directory, which will be executed by the device

“Based on our testing, the unauthenticated arbitrary file delete vulnerability disclosed by NCC Group [in 2021] was patched by adding an authentication check. However, that authentication check is satisfied with a valid low-privilege session cookie, so exploitation is still viable,” Emmons explained.

Thus CVE-2025-32819, an authenticated arbitrary file delete vulnerability, can be similarly exploited, but only if the attacker obtains valid account credentials for a SMA user account. Unfortunately, those can be easily sourced from the dark web or stolen via phishing or malware.

Upgrade and investigate

Based on known private inficators of compromise and Rapid7 incident response investigations, Rapid7 believes that CVE-2025-32819 “may have been used in the wild.”

SonicWall advises customers to upgrade their SMA 100 Series devices (SMA 200, 210, 400, 410, 500v) to firmware version 10.2.1.15-81sv and higher, protect
user accounts by enabling multifactor authentication (MFA), and enable the built-in web application firewall feature to mitigate the risk of exploitation.

“SonicWall PSIRT recommends that customers review their SMA devices to ensure [there have been] no unauthorized logins,” the company also said, and confirmed that SMA1000 Series appliances are not affected by these vulnerabilities.

Finally, resetting the passwords for all users who have logged in to the device(s) via the web interface is a good idea, especially if the accounts don’t have MFA enabled.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!