SonicWall warns users to patch critical vulnerability “as soon as possible”

SonicWall has issued a security notice about its SMA 100 series of appliances. The vulnerability could potentially allow a remote unauthenticated attacker the ability to delete arbitrary files from a SMA 100 series appliance and gain administrator access to the device.


SonicWall is a company that specializes in securing networks. It sells a range of Internet appliances primarily directed at content control and network security, including devices providing services for network firewalls, unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.

In June of 2021 we wrote about another vulnerability in the same Secure Mobile Access (SMA) 100 series. Back then SonicWall had been made aware of an imminent ransomware campaign using stolen credentials.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-20034 and is due to an improper limitation of a file path to a restricted directory, potentially leading to arbitrary file deletion without any authentication, which can result in a remote attacker obtaining administrator access on the underlying host.

The critical bug has received a score of 9.1 out of 10 on the CVSS scale of severity. At the moment there is no evidence that this vulnerability is being exploited in the wild.

Basically the vulnerability is an improper access control vulnerability in SMA-100 allows a remote unauthenticated attacker to bypass path traversal checks and delete an arbitrary file. Which, if the attacker knows what they are doing, can potentially result in a reboot to factory default settings. With the default settings in place the attacker can gain administrator privileges by using the factory default credentials.

Affected devices

The appliances that are affected are SMA 100, 200, 210, 400, 410, and 500v. Since there are no temporary mitigations, SonicWall urges impacted customers to implement applicable patches as soon as possible. A detailed list with impacted platforms and versions can be found here.


SonicWall customers can log in to its website to get updated firmware for their appliances. (The update also fixes a local privilege escalation weakness, and a denial-of-service vulnerability.)

In context of the previous vulnerability, we want to add the advice to change the administrator password on the appliances, especially if they are still set to the default. Threat actors my be inclined to scan for Internet-facing devices and try to gain access by using the default or leaked credentials.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.