SonicWall on Wednesday announced patches for three vulnerabilities in its Secure Mobile Access (SMA) 100 series appliances that could lead to remote code execution (RCE).
The first of the bugs, tracked as CVE-2025-32819 (CVSS score of 8.8), is an arbitrary file delete issue that can be exploited by authenticated attackers with user privileges.
An attacker could bypass the device’s path traversal checks and delete an arbitrary file, which could lead to the appliance rebooting to factory default settings, SonicWall explains in its advisory.
Rapid7, which warns that CVE-2025-32819 has been exploited as a zero-day, explains that the flaw is likely a bypass for a 2021 patch resolving an unauthenticated arbitrary file delete defect.
Using a valid low-privilege session cookie, an attacker can bypass the check added by SonicWall to resolve the initial vulnerability, to delete any file as root and escalate their privileges to administrator.
“Based on known (private) IOCs and Rapid7 incident response investigations, we believe this vulnerability may have been used in the wild,” the cybersecurity firm says.
Rapid7 has not shared any information about these attacks and SonicWall’s advisory does not mention in-the-wild exploitation.
The second issue, tracked as CVE-2025-32820 (CVSS score of 8.3), allows a remote attacker with user privileges to inject “a path traversal sequence to make any directory on the SMA appliance writable”.
Successful exploitation of the bug could also allow an attacker to overwrite any file on the system with junk contents, as root, creating a persistent denial of service (DoS) condition, Rapid7 says.
Tracked as CVE-2025-32821 (CVSS score of 6.7), the third flaw allows a remote, authenticated attacker with user privileges to “inject shell command arguments to upload a file on the appliance”, SonicWall says.
According to Rapid7, an attacker can exploit the defect to upload the file anywhere on the system. The file is under the attacker’s control and the ‘nobody’ user can write to it.
“It’s also possible to copy existing files that the ‘nobody’ user can read, such as ‘/ etc / passwd’ or the application’s SQLite database, to the web root directory for data exfiltration,” the cybersecurity firm says.
Rapid7 warns that an attacker authenticated as an SSLVPN user can chain these security defects to “make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory,” to achieve root-level RCE.
SonicWall has released software version 10.2.1.15-81sv to address the vulnerabilities in its SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v secure remote access products. Users are advised to update their appliances as soon as possible.
Related: PoC Published for Exploited SonicWall Vulnerabilities
Related: SonicWall Flags Two More Vulnerabilities as Exploited
Related: SonicWall Flags Old Vulnerability as Actively Exploited
Related: SonicWall Patches High-Severity Vulnerability in NetExtender