SonicWall SMA100's older vulnerability is being exploited in real-world attacks
In recent cyber attacks, a threat actor known as UNC6148 has been targeting SonicWall SMA 100 appliances. The attacks have been linked to the deployment of a backdoor called OVERSTEP, which modifies the boot process of SMA 100 appliances, allowing for persistent access and data theft.
While CVE-2021-20035 is mentioned among the potentially exploited vulnerabilities, the specific details of its exploitation in these attacks are not as clearly defined as they are for other vulnerabilities. The exact initial access vector for the OVERSTEP malware is not well-documented.
UNC6148 primarily uses stolen credentials and one-time password seeds to access devices, leveraging previously compromised information to bypass security updates. Other vulnerabilities such as CVE-2021-20038 and CVE-2024-38475 are also linked to these attacks.
It is important to note that while CVE-2021-20035 is one of the vulnerabilities potentially exploited in attacks against SonicWall SMA100 appliances, the specific details of its exploitation in recent nation-state attacks are not prominently highlighted compared to other vulnerabilities like those used by UNC6148.
CVE-2021-20035 is an OS command-injection vulnerability in SonicWall SMA100 remote-access appliances. If exploited, a threat actor could remotely inject arbitrary commands as a "nobody" user, which could lead to code execution. The vulnerability was initially patched in September 2021.
The CVSS score for the vulnerability was raised from 6.5 to 7.2, making it a high-severity flaw. More than 450 vulnerable firewalls were exposed to the public internet due to CVE-2024-53704, an improper authentication vulnerability in SonicWall's SSL VPN mechanism, which was added to CISA's Known Exploited Vulnerabilities (KEV) catalog in February.
SonicWall is actively investigating the scope and details of the exploitation and urges customers to follow the mitigation steps outlined in the advisory and upgrade to the latest firmware. The company continues to advocate for security hygiene, patching, and timely firmware updates as key to protection.
Federal civilian executive branch agencies have until May 7 to either patch their SonicWall appliances or discontinue use of the product if mitigations cannot be applied. The editor's note indicates that this story has been updated with a statement from SonicWall. The statement was provided in an email. SonicWall continues to emphasise the importance of security hygiene, patching, and timely firmware updates in protecting against such threats.
- The firewall vendor SonicWall is currently dealing with a series of cyber attacks by the threat actor UNC6148, which has exploited a backdoor called OVERSTEP, modifying the boot process of SMA 100 appliances for persistent access and data theft.
- While CVE-2021-20035 is one of the vulnerabilities potentially exploited in these attacks, the specific details of its exploitation are not as clearly defined as other vulnerabilities, such as those leveraged by UNC6148.
- UNC6148 primarily employs stolen credentials and one-time password seeds, using previously compromised information to bypass security updates, along with other vulnerabilities like CVE-2021-20038 and CVE-2024-38475.
- In the general news and crime-and-justice sectors, the ongoing SonicWall SMA 100 appliance cyber attacks serve as a reminder of the importance of cybersecurity technology,patching, and timely firmware updates in mitigating ransomware and other malicious threats.
