SonicWall this week updated its security advisory for an SMA 100 series vulnerability patched in 2021 to warn customers that the flaw has been exploited in the wild.
The vulnerability is tracked as CVE-2021-20035 and it has been described by SonicWall as an authenticated arbitrary command execution vulnerability.
“Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to code execution,” SonicWall’s advisory explains.
The flaw impacts the SMA 200, 210, 400, 410 and 500v products running software versions prior to 10.2.1.1-19sv, 10.2.0.8-37sv and 9.0.0.11-31sv.
When the patches were announced in September 2021, the vulnerability went largely unnoticed, likely because it was assigned a ‘medium severity’ rating (CVSS of 5.5) and due to its exploitation requiring authentication.
However, the vendor has made two updates to its advisory this week: one to warn customers about potential in-the-wild exploitation, and one to assign it a new CVSS score of 7.2, which makes the flaw ‘high severity’.
“This vulnerability is believed to be actively exploited in the wild,” SonicWall wrote in the updated advisory.
There does not appear to be any public information about the attacks exploiting CVE-2021-20035. Considering that exploitation requires authentication, the attacks may involve a second vulnerability — either a known issue or a zero-day.
CVE-2021-20035 was originally reported to SonicWall by a researcher at the Alpha Lab unit of Chinese cybersecurity firm Qihoo 360. Alpha Lab unit researchers are known for the discovery of high-impact flaws, but there is no indication that the Chinese company was also the one that spotted malicious exploitation.
It’s not uncommon for SMA 100 appliances to be targeted by threat actors, including through the exploitation of zero-day vulnerabilities.
CISA on Wednesday added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, which includes a dozen other SonicWall product vulnerabilities, many of them impacting SMA 100 appliances.
Related: SonicWall Patches High-Severity Vulnerability in NetExtender
Related: SonicWall Firewall Vulnerability Exploited After PoC Publication
Related: SonicWall Confirms Exploitation of New SMA Zero-Day