Threat Response – SonicWall fixes critical bug allowing SMA 100 device takeover



On Friday 24th September, SonicWall has patched a critical security flaw impacting several Secure Mobile Access (SMA) 100 series products that can let unauthenticated attackers remotely gain admin access on targeted devices. [1]


The SMA 100 series appliances are vulnerable to attacks targeting the improper access control vulnerability tracked as CVE-2021-20034 [2]. This includes devices SMA 200, 210, 400, 410, and 500v. Successful exploitation can let attackers delete arbitrary files from unpatched SMA 100 devices and reboot to default settings. Consequently, attackers may gain administrator access to the device.

There are no temporary mitigations to remove the attack vector, and SonicWall strongly urges organisations using SMA 100 series appliances to deploy security updates that address the flaw as soon as possible.


Successful exploitation may lead to gaining complete control of the firewall and thus the capability to gain access to the organisation’s network. Therefore we assess the impact as high.


Although there is currently no evidence that this vulnerability is being exploited in the wild, however SonicWall SMA 100 series appliances have been targeted by ransomware groups multiple times since the start of 2021 [1]. In July 2021, SonicWall warned of an increased risk of ransomware attacks [3] targeting unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) products. For this reason, we estimate the risk as high.

What should you do?

Log in to to upgrade the appliances to the patched firmware versions outlined in the table embedded below.

Product Platform Impacted Version Fixed Version
SMA 100 Series • SMA 200
• SMA 210
• SMA 400
• SMA 410
• SMA 500v (ESX, KVM, AWS, Azure) and earlier and higher and earlier and higher and earlier and higher

What will Northwave do?

Northwave is investigating the possibilities for monitoring exploitation attempts of this vulnerability, and will implement detection rules when possible.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.




Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.