On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances. In an updated security advisory for the vulnerability, SonicWall indicated on April 15, 2025 that the vulnerability was being exploited in the wild. The vulnerability was added to CISA’s known exploited vulnerabilities (KEV) catalog the following day.
Prior to these updates, Arctic Wolf had been tracking a campaign targeting VPN credential access on SonicWall SMA devices. This credential access campaign is thought to be related to the vulnerability mentioned in the advisory recently updated by SonicWall.
Updated Vulnerability Scope
While the risk of CVE-2021-20035 had originally been described as a potential denial-of-service (DoS) when it was initially disclosed in 2021, SonicWall updated the advisory summary on April 15, 2025 to highlight the risk of remote code execution. The CVSS score for the vulnerability was also increased to 7.2 by SonicWall.
In spite of these changes, the vulnerability is still described as being limited to authenticated users. However, threat actors have well-established methods to obtain legitimate credentials on firewalls. Password stuffing, brute force, and dictionary-based attacks are commonly used to compromise VPN accounts. When accounts on firewalls are compromised independently, vulnerabilities such as CVE-2021-20035 can be used in tandem to establish persistence and widen the scope of attacks.
Campaign Details
Arctic Wolf has identified an ongoing VPN credential access campaign targeting SMA 100 series appliances, with a starting timeframe as early as January 2025, extending into April 2025. One noteworthy aspect of the campaign was the use of a local super admin account (admin@LocalDomain) on these appliances, which has an insecure default password of password.
It is important to note that even fully patched firewall devices may still become compromised if accounts use poor password hygiene. Details surrounding the tactics used in this campaign are limited at this time, but organizations should review the recommendations below for hardening the security of all local accounts on SonicWall SMA devices.
Arctic Wolf is tracking known indicators of compromise associated with this campaign and will continue to alert customers if any related activity is observed.
Recommendations
Upgrade to Latest Fixed Version
| Product | Platform | Impacted Versions | Fixed Versions |
| SMA 100 Series |
|
|
|
Harden Security of Local Accounts on SonicWall SMA Devices
To protect against the malicious activities observed in this campaign, organizations should apply the following security best practices for firewalls:
- Enable multi-factor authentication for all accounts (especially local accounts).
- Consider resetting passwords of all local accounts on SonicWall SMA firewalls, ensuring that strong passwords are used across the board.
- Limit VPN access to the minimum necessary accounts.
- Disable unneeded accounts.
Configure Log Monitoring for all Firewall Devices
To increase the likelihood of catching malicious activity early, ensure that syslog monitoring is configured for all of your organization’s firewall devices using our provided documentation.
References
Resources
