**Name of the Vulnerable Software and Affected Versions:**

SonicWall SMA 100 series appliances

SonicWall SMA 200

SonicWall SMA 210

SonicWall SMA 400

SonicWall SMA 410

SonicWall SMA 500v

versions prior to the fixed version

**Description:**

A command injection vulnerability exists in the web management interface of SonicWall SMA appliances. This vulnerability allows a remote, authenticated attacker to inject arbitrary commands as a 'nobody' user, potentially leading to denial of service (DoS) or remote code execution (RCE). The vulnerability is due to improper neutralization of special elements within the interface. Active exploitation of this vulnerability has been observed since January 2025, with threat actors attempting to steal VPN credentials. Approximately 1000 organizations have been affected.

The `/cgi-bin/viewcert` endpoint has been observed during exploitation attempts.

**Recommendations:**

SonicWall SMA 100 series appliances: Apply the available patch or take the devices offline by May 7, 2025.

SonicWall SMA 200: Apply the available patch.

SonicWall SMA 210: Apply the available patch.

SonicWall SMA 400: Apply the available patch.

SonicWall SMA 410: Apply the available patch.

SonicWall SMA 500v: Apply the available patch.