Staff

FortiGuard Outbreak Alert: SonicWall Secure Mobile Access Attack

Forum|Forum|10 months ago
August 7, 2025
0 replies
206 views

Description

SonicWall SMA (Secure Mobile Access) is a secure remote access solution that allows users to access internal resources.

The Google Threat Intelligence Group (GTIG) has reported that threat actor UNC6148 is conducting an ongoing campaign targeting SonicWall SMA 100 series appliances.

Key component of this campaign was the deployment of OVERSTEP on the vulnerable application. OVERSTEP is a custom-rootkit which allows attacks to control and exfiltrate data from the appliance.

The following CVEs targeting SonicWall SMA 100 series appliances were observed during the campaign:

CVE-2025-32819 is a privilege-escalation vulnerability in SonicWall SMA 100 series appliances which allows a remote, authenticated user to delete files as root.

CVE-2024-38475 is a path-traversal vulnerability in Apache HTTP server which affects SonicWall SMA 100 series. This allows for unauthenticated users to perform remote file reads on the server.

CVE-2021-20038 is a buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables which could allow attackers to potentially execute code.

CVE-2021-20035 is a command injection vulnerability in SonicWall SMA 100 series appliance which allowed for authenticated attacker to inject command leading to Denial-of-Service attack.

CVE-2021-20039 is a command injection vulnerability in SonicWall SMA 100 series appliance which allowed for authenticated attacker to inject command to perform RCE attacks.

CVE ID   

CVE-2025-32819 (https://nvd.nist.gov/vuln/detail/CVE-2025-32819)
CVE-2024-38475 (https://nvd.nist.gov/vuln/detail/CVE-2024-38475)
CVE-2021-20038 (https://nvd.nist.gov/vuln/detail/CVE-2021-20038)
CVE-2021-20035 (https://nvd.nist.gov/vuln/detail/CVE-2021-20035)
CVE-2021-20039 (https://nvd.nist.gov/vuln/detail/CVE-2021-20039)

NDR Cloud Detection Rule

FortiNDR Cloud v25.3.a+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: SonicWall SMA100 FileShare Path Traversal - CVE-2025-32819	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Apache HTTP Server MOD Rewrite Remote Code Execution - CVE-2024-38475	Attack: Exploitation	T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: SonicWall SMA100 Remote Code Execution - CVE-2021-20039	Attack: Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “SonicWall Secure Mobile Access Attack” related activities.
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=SonicWall%20SMA%20Attack
All IOCs relating to "SonicWall Secure Mobile Access Attack" have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2034984 -> ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1

2034985 -> ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2

2034986 -> ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:
https://www.fortiguard.com/outbreak-alert/sonicwall-sma-attack

FortiGuard Outbreak Alert

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded