On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability.

Tracked as CVE-2021-20035, this security flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. Successful exploitation can allow remote threat actors with low privileges to execute arbitrary code in low-complexity attacks.

“Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to code execution,” SonicWall explains in an advisory updated this week.

SonicWall patched this vulnerability almost four years ago, in September 2021, when the company said it could only be exploited to take down vulnerable appliances in denial-of-service (DoS) attacks.

However, on Monday, it updated the CVE-2021-20035 security advisory to flag it as exploited in attacks, upgrade the CVSS severity score from medium to high, and expand the impact to include code execution.

“This vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has updated the summary and revised the CVSS score to 7.2,” SonicWall said.

Yesterday, CISA confirmed the vulnerability is now being abused in the wild by adding it to the Known Exploited Vulnerabilities catalog, which lists security flaws flagged by the cybersecurity agency as actively exploited in attacks.

As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until May 7th, to secure their networks against ongoing attacks.

While BOD 22-01 only applies to U.S. federal agencies, all network defenders should prioritize patching this security vulnerability as soon as possible to block potential breach attempts.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.

In February, SonicWall also warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that could let hackers hijack VPN sessions.

One month earlier, the company urged customers to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks.