Home / Threat Intelligence bulletins / Cyber spies targeting unpatched SonicWall devices

Target Industry

Indiscriminate, opportunistic targeting.


Cybercriminals have been reported as targeting unpatched SonicWall gateways, infecting devices with an infostealing malware variant. The threat actors are suspected to be located in China and the associated persistent campaign has deployed malware against unpatched SonicWall Secure Mobile Access (SMA) Series 100 appliances.

Although the initial attack vector has yet to be identified, the incident investigation revealed that the unpatched SonicWall devices were vulnerable to known exploited security flaws, including CVE-2021-20016, CVE-2021-20028, CVE-2019-7483 and CVE-2019-7481.


– CVE-2021-20016 (CVSSv3 Score Critical – 9.8): A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product that allows a remote unauthenticated threat actor to perform SQL queries to access usernames, passwords and other session-related data.
– CVE-2021-20028 (CVSSv3 Score Critical – 9.8): An exploit pertaining to improper neutralisation of a SQL command leading to a SQL Injection vulnerability, impacting end-of-life Secure Remote Access (SRA) products.
– CVE-2019-7483 (CVSSv3 Score High – 7.5): In SonicWall SMA100, successful exploitation of this vulnerability results in an unauthenticated Directory Traversal in the handleWAFRedirect CGI that allows the threat to test for the presence of a file on the server.
– CVE-2019-7481 (CVSSv3 Score High – 7.5): Successful exploitation of this vulnerability allows unauthenticated attackers to gain read-only access to unauthorised resources.

Vulnerability Detection

SonicWall has patched the vulnerabilities mentioned above. As such, previous versions are vulnerable to the potential exploits.

Affected Products

– SonicWall Secure Mobile Access (SMA) 100 Series

Containment, Mitigations & Remediations

Even though a specific vulnerability relating to the initial attack vector has yet to be identified, it is still strongly recommended that organisations using SonicWall products remain proactive in applying the most recent SMA 100 series firmware update ( or later). The firmware update includes additional hardening features, such as File Integrity Monitoring (FIM), anomalous process identification, and OpenSSL library updates.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

At the time of writing, it remains unclear as to whether or not this malware campaign is related to earlier ransomware attacks, which targeted some of the same SonicWall appliances in 2021. However, it can be concluded that cyberespionage groups continue to focus on exploiting systems that do not support endpoint detection and response (EDR) solutions. This is likely due to the criminals within these threat actor groups realising that a substantial number of organisations are dependent on such defence solutions.

SonicWall has a significant portion of the network security appliance market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As previously mentioned, SonicWall systems do not support EDR solutions and, as a result, these devices become a prime target. Due to the fact that network security devices have become an integral component of business operations, threat actors will continue to exploit vulnerabilities contained within these devices in an attempt to extract the sensitive data contained therein.

Threat Group

The suspected threat actor is being tracked by the name ‘UNC4540’. The fact that the malware deployed by UNC4540 can successfully compromise managed appliances indicates that the group is well resourced with a team of experienced and sophisticated cybercriminals. Furthermore, the campaign reported on is consistent with previously documented Chinese threat actor patterns of targeting network devices for zero-day exploits.

Mitre Methodologies

Initial Access:

T1190 – Exploit Public-Facing Application


T1083 – File and Directory Discovery

Further Information

The Register Article


Intelligence Terminology Yardstick