CISA Alerts on Exploited SonicWall Command Injection Vulnerability”

CISA Adds SonicWall SMA100 OS Command Injection Vulnerability to Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added a new critical vulnerability, CVE-2021-20035, affecting SonicWall SMA100 appliances, to its Known Exploited Vulnerabilities (KEV) Catalog as of April 16, 2025.

This addition is based on confirmed evidence of active exploitation, underscoring the persistent threat posed by vulnerabilities in widely deployed network security devices.

Technical Overview: CVE-2021-20035

CVE-2021-20035 is an OS command injection vulnerability rooted in improper neutralization of special elements in the SonicWall SMA100 management interface.

This flaw allows remote authenticated attackers to inject and execute arbitrary operating system commands as the ‘nobody’ user, potentially resulting in unauthorized command execution and Denial of Service (DoS) attacks.

Affected Products and Versions

The vulnerability impacts the following SonicWall SMA100 series models and firmware versions:

• SMA 200, 210, 400, 410, and 500V
• Firmware versions 9.0.0.10-28sv and earlier, 10.2.0.7-34sv and earlier, and 10.2.1.0-17sv and earlier

Exploitation and Attack Vectors

Attackers exploiting CVE-2021-20035 require authenticated access to the management interface. Once access is gained, specially crafted input can be used to inject malicious commands, leveraging the underlying OS with the privileges of the ‘nobody’ user.

This can compromise the integrity, confidentiality, and availability of the affected systems.

Risk Factors and Impact

The exploitation of this vulnerability poses significant risks, particularly for federal agencies and organizations operating critical infrastructure.

Attackers can:

• Execute unauthorized commands
• Cause service disruptions (DoS)
• Potentially pivot to further network compromise

Binding Operational Directive (BOD) 22-01 and Remediation

CISA’s Binding Operational Directive 22-01 mandates all Federal Civilian Executive Branch (FCEB) agencies to remediate vulnerabilities listed in the KEV Catalog by specified deadlines.

While BOD 22-01 is compulsory for federal agencies, CISA strongly advises all organizations—including state, local, tribal, territorial governments, and private sector entities—to prioritize remediation of cataloged vulnerabilities to enhance their cybersecurity posture.

Remediation Steps

• Immediate Action: Apply the latest security patches provided by SonicWall to all affected SMA100 appliances.
• Access Controls: Restrict management interface access to trusted networks and implement strong authentication measures.
• Monitoring: Continuously monitor for signs of exploitation, such as unusual network activity or unauthorized access attempts.

Risk Factor Table

Broader Implications

The inclusion of CVE-2021-20035 in the KEV Catalog highlights the ongoing targeting of network security appliances by malicious cyber actors.

CISA’s KEV Catalog serves as a vital resource for organizations to track actively exploited vulnerabilities and prioritize remediation efforts.

Exploits in the catalog often enable remote code execution, privilege escalation, and denial of service, making timely patching and robust vulnerability management essential for all organizations.

CISA’s latest alert is a critical reminder for all organizations to stay vigilant, monitor the KEV Catalog, and swiftly remediate known exploited vulnerabilities.

Proactive patch management and layered security controls remain the most effective defenses against evolving cyber threats targeting essential network infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates