Gaining Root Access Made Easy: Just Be an Admin… or Log in via SSL-VPN
A chain of three SonicWall vulnerabilities allows attackers to gain root access and seize control of VPN systems.
SonicWall has patched three critical vulnerabilities in its SMA 100 series secure remote access devices, which could allow an attacker to execute arbitrary code with root privileges. Given that these devices are widely used in corporate environments for VPN access, the risk is considered extremely high.
The most severe of the three is CVE-2025-32819, rated 8.8 on the CVSS scale. This vulnerability enables an SSL-VPN user to bypass path validation and delete arbitrary files, potentially resetting the device to factory settings. According to Rapid7, this flaw is likely a bypass of a previously reported vulnerability disclosed by the NCC Group in December 2021.
The second issue, CVE-2025-32820 (CVSS 8.3), allows path traversal to make any directory writable. The third, CVE-2025-32821 (CVSS 6.7), lets an SSL-VPN administrator inject command-line arguments and upload files to the device.
Rapid7 researchers demonstrated that these three vulnerabilities can be chained together in a single attack. With access to an SSL-VPN account, an attacker could write to sensitive system directories, escalate privileges to SMA administrator, then upload and execute a malicious file to gain full system control.
While SonicWall has not disclosed evidence of these vulnerabilities being exploited in the wild, researchers noted signs of potential compromise and suspect that CVE-2025-32819 may have been exploited as a zero-day.
Affected models include SMA 200, 210, 400, 410, and 500v. All issues were fixed in firmware version 10.2.1.15-81sv.
Given the backdrop of previous attacks on SMA 100 devices — including actively exploited vulnerabilities like CVE-2021-20035, CVE-2023-44221, and CVE-2024-38475 — administrators are strongly urged to update their systems immediately.
Would you like a one-paragraph summary version as well?
