- SonicWall updated a security advisory for a Secure Mobile Access flaw
- CISA added the flaw to its KEV
- FCEB agencies have three weeks to apply the patch
The US Cybersecurity and Infrastructure Security Agency (CISA) has added an old SonicWall vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming that it is being used in the wild.
As a result, Federal Civilian Executive Branch (FCEB) agencies have three weeks to install the patch or stop using the product entirely.
In late 2021, SonicWall released a security advisory, warning its users about an improper neutralization vulnerability affecting multiple SonicWall Secure Mobile Access (SMA) appliances. At the time, the company said the bug could be used to take down vulnerable endpoints with a Denial-of-Service (DoS) attack. However, the company has now updated the advisory to warn about in-the-wild abuse and to upgrade its severity score from medium to high (7.2).
Abuse in the wild
“Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to code execution,” SonicWall said.
The flaw affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices.
At the same time, CISA added the bug to KEV, warning about abuse in the wild. While its Binding Operational Directive 22-01 (which forces organizations to install the patch) only applies to government agencies, those in the private sector should take note when KEV gets a new entry.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
In 2021, SonicWall suffered one of its largest attacks ever, when a threat actor tracked as UNC2447 abused an SQL injection vulnerability in the SMA100 instance to gain unauthorized access to networks. Following the breach, they deployed the Sombrat backdoor and a ransomware variant dubbed FiveHands.
Via BleepingComputer
