A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.

This security flaw (CVE-2021-20035) impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and was patched almost four years ago, in September 2021, when SonicWall said it could only be exploited to take down vulnerable appliances in denial-of-service (DoS) attacks.

However, the company updated the four-year-old security advisory on Monday to flag the security bug as exploited in attacks, expand the impact to include remote code execution, and upgrade the CVSS severity score from medium to high severity.

“This vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has updated the summary and revised the CVSS score to 7.2,” SonicWall said.

Successful exploitation can allow remote threat actors with low privileges to exploit an “improper neutralization of special elements in the SMA100 management interface” to inject arbitrary commands as a ‘nobody’ user and execute arbitrary code in low-complexity attacks.

CISA has also added the vulnerability to its Known Exploited Vulnerabilities catalog, confirming it’s now being abused in the wild and ordering Federal Civilian Executive Branch (FCEB) agencies to secure their networks against ongoing attacks until May 7th.

Actively exploited since January

Days after SonicWall tagged the security bug as exploited in the wild without sharing when the attacks started, cybersecurity company Arctic Wolf reported that threat actors used CVE-2021-20035 exploits in attacks as early as January 2025.

In this campaign, the attackers have also used a local super admin account with a “password” default password to target SMA 100 appliances with the management interface exposed online.

“Arctic Wolf has identified an ongoing VPN credential access campaign targeting SMA 100 series appliances, with a starting timeframe as early as January 2025, extending into April 2025,” the cybersecurity firm said.

“One noteworthy aspect of the campaign was the use of a local super admin account (admin@LocalDomain) on these appliances, which has an insecure default password of password.”

To block CVE-2021-20035 attacks targeting their SonicWall appliances, Arctic Wolf advised network defenders to limit VPN access to the minimum necessary accounts, deactivate unneeded accounts, enable multi-factor authentication for all accounts, and reset passwords for all local accounts on SonicWall SMA firewalls.

In February, SonicWall also urged customers in January to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks and, one month later, warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that can let hackers hijack VPN sessions.