Help
FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff

Created on ‎08-07-2025 04:27 PM Edited on ‎08-13-2025 08:55 AM

Article Id 405390

FortiGuard Outbreak Alert: SonicWall Secure Mobile Access Attack

Description

SonicWall SMA (Secure Mobile Access) is a secure remote access solution that allows users to access internal resources.


The Google Threat Intelligence Group (GTIG) has reported that threat actor UNC6148 is conducting an ongoing campaign targeting SonicWall SMA 100 series appliances.

 

Key component of this campaign was the deployment of OVERSTEP on the vulnerable application. OVERSTEP is a custom-rootkit which allows attacks to control and exfiltrate data from the appliance.

 

The following CVEs targeting SonicWall SMA 100 series appliances were observed during the campaign:

 

CVE-2025-32819 is a privilege-escalation vulnerability in SonicWall SMA 100 series appliances which allows a remote, authenticated user to delete files as root.

 

CVE-2024-38475 is a path-traversal vulnerability in Apache HTTP server which affects SonicWall SMA 100 series. This allows for unauthenticated users to perform remote file reads on the server.

 

CVE-2021-20038 is a buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables which could allow attackers to potentially execute code.

 

CVE-2021-20035 is a command injection vulnerability in SonicWall SMA 100 series appliance which allowed for authenticated attacker to inject command leading to Denial-of-Service attack.

 

CVE-2021-20039 is a command injection vulnerability in SonicWall SMA 100 series appliance which allowed for authenticated attacker to inject command to perform RCE attacks.

CVE ID    

 CVE-2025-32819 (https://nvd.nist.gov/vuln/detail/CVE-2025-32819)
CVE-2024-38475 (https://nvd.nist.gov/vuln/detail/CVE-2024-38475)
CVE-2021-20038 (https://nvd.nist.gov/vuln/detail/CVE-2021-20038)
CVE-2021-20035 (https://nvd.nist.gov/vuln/detail/CVE-2021-20035)
CVE-2021-20039 (https://nvd.nist.gov/vuln/detail/CVE-2021-20039)

NDR Cloud Detection Rule

FortiNDR Cloud v25.3.a+

Detection Rule Name

Category

Primary MITRE ID
FortiGuard Outbreak Alert: SonicWall SMA100 FileShare Path Traversal - CVE-2025-32819 Attack: Exploitation T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Apache HTTP Server MOD Rewrite Remote Code Execution - CVE-2024-38475 Attack: Exploitation T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: SonicWall SMA100 Remote Code Execution - CVE-2021-20039 Attack: Exploitation T1190 - Exploit Public-Facing Application
Playbook  N/A

Threat Hunting

 FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “SonicWall Secure Mobile Access Attack” related activities.
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=SonicWall%20SMA%20Attack
All IOCs relating to "SonicWall Secure Mobile Access Attack" have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2034984 -> ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1

2034985 -> ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2

2034986 -> ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039

Other Fortinet Products

 For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:
https://www.fortiguard.com/outbreak-alert/sonicwall-sma-attack
92
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.