CVE-2019-7481
published 2019-12-17CVE-2019-7481: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version…
PriorityP192high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.91%
100.0th percentile
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | ansible | >= 0 < 2.0.0.2-2ubuntu1.3 | 2.0.0.2-2ubuntu1.3 |
| redhat | ansible | >= 0 < 2.5.1+dfsg-1ubuntu0.1 | 2.5.1+dfsg-1ubuntu0.1 |
| sonicwall | sma | — | — |
| sonicwall | sma100 | — | — |
| sonicwall | sma_100_firmware | < 9.0.0.4 | 9.0.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /cgi-bin/supportInstaller with SQL UNION SELECT payloads in the customerTID parameter, particularly with the User-Agent 'MSIE'. ↗
- →A successful exploitation response body will contain the arithmetic result '4220397236' (11132 * 379123), which can be used as a detection canary in HTTP response bodies. ↗
- →SonicWall SRA device logs showing 'Virtual Assist Installing Customer App' with a python-requests user-agent may indicate active exploitation activity by eCrime actors. ↗
- →Monitor SonicWall SRA device logs for the message 'Virtual Assist Installing Customer App' as an indicator of exploitation attempts. ↗
- ·CVE-2019-7481 affects SonicWall SRA 4600 devices running firmware 8.x and 9.x, not just SMA100 devices. Patching SMA devices to 9.0.0.5 does NOT remediate the vulnerability on SRA devices — they remain vulnerable despite applying the SMA-targeted patch. ↗
- ·The older SRA device remains vulnerable even after patching to version 9.0.0.5, which is the patch prescribed for SMA devices. Do not assume SRA devices are protected by applying SMA patches. ↗
- ·The ability to leverage CVE-2019-7481 against SRA 4600 devices was previously undisclosed by SonicWall, meaning defenders may have incorrectly assumed SRA devices were not in scope for this CVE. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-229v-p5vr-f583: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources
ghsa_unreviewed·2022-05-24
CVE-2019-7481 [MEDIUM] CWE-89 GHSA-229v-p5vr-f583: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
VulnCheck
SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20028 [CRITICAL] CWE-89 SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
SonicWall Secure Remote Access (SRA) products contain an improper neutralization of a SQL Command leading to SQL injection.
Affected: SonicWall Secure Remote Access (SRA)
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; https://blog.compass-security.com/2022/03/vpn-appliance-forensics/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf; https://www.group-ib.com/resources/research-hub/hi-tech-crime
VulnCheck
SonicWall SSLVPN SMA100 SQL Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20016 [CRITICAL] CWE-89 SonicWall SSLVPN SMA100 SQL Injection Vulnerability
SonicWall SSLVPN SMA100 SQL Injection Vulnerability
SonicWall SSLVPN SMA100 contains a SQL injection vulnerability that allows remote exploitation for credential access by an unauthenticated attacker.
Affected: SonicWall SSLVPN SMA100
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.mandiant.com/resources/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat; https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html; https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations; https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; https://cybersecurityworks.com/blo
OSV
ansible vulnerabilities
osv·2019-07-24·CVSS 9.8
CVE-2017-7481 ansible vulnerabilities
ansible vulnerabilities
It was discovered that Ansible failed to properly handle sensitive information.
A local attacker could use those vulnerabilities to extract them.
(CVE-2017-7481)
(CVE-2018-10855)
(CVE-2018-16837)
(CVE-2018-16876)
(CVE-2019-10156)
It was discovered that Ansible could load configuration files from the current
working directory containing crafted commands. An attacker could run arbitrary
code as result.
(CVE-2018-10874)
(CVE-2018-10875)
It was discovered that Ansible fetch module had a path traversal vulnerability.
A local attacker could copy and overwrite files outside of the specified
destination.
(CVE-2019-3828)
VulnCheck
SonicWall SMA100 SQL Injection Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-7481 [HIGH] CWE-89 SonicWall SMA100 SQL Injection Vulnerability
SonicWall SMA100 SQL Injection Vulnerability
SonicWall SMA100 contains a SQL injection vulnerability allowing an unauthenticated user to gain read-only access to unauthorized resources.
Affected: SonicWall SMA100
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cybersecurityworks.com/howdymanage/uploads/file/csw_final_ransomware_index-update-q321-csw_.pdf; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf; https://static.tenable.com/marketing/whitepap
CISA
SonicWall SMA100 SQL Injection Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2019-7481 [HIGH] CWE-89 SonicWall SMA100 SQL Injection Vulnerability
Vulnerability: SonicWall SMA100 SQL Injection Vulnerability
Affected: SonicWall SMA100
SonicWall SMA100 contains a SQL injection vulnerability allowing an unauthenticated user to gain read-only access to unauthorized resources.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-7481
Remediation Due Date: 2022-05-03
SonicWall
CVE-2019-7481: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 ver
vendor_sonicwall·2019-12-17·CVSS 7.5
CVE-2019-7481 [HIGH] CWE-89 CVE-2019-7481: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 ver
CVE-2019-7481: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
Suricata
ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)
suricata·2021-07-16·CVSS 7.5
CVE-2019-7481 [HIGH] ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)
ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url,www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; reference:cve,2019-7481; classtype:web-application-attack; sid:2033348; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2019_7481, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, tag Descr
Nuclei
SonicWall SRA 4600 VPN - SQL Injection
nuclei·CVSS 7.5
CVE-2019-7481 [HIGH] SonicWall SRA 4600 VPN - SQL Injection
SonicWall SRA 4600 VPN - SQL Injection
The SonicWall SRA 4600 VPN appliance is susceptible to a pre-authentication SQL injection vulnerability.
Template:
id: CVE-2019-7481
info:
name: SonicWall SRA 4600 VPN - SQL Injection
author: _darrenmartyn
severity: high
description: The SonicWall SRA 4600 VPN appliance is susceptible to a pre-authentication SQL injection vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL commands, potentially leading to unauthorized access, data leakage, or denial of service.
remediation: |
Apply the latest security patches or firmware updates provided by SonicWall to mitigate this vulnerability.
reference:
- https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve
Greynoiseio
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
blogs_greynoiseio·2026-02-27
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Exploitation of CVE-2025-40602 chained with CVE-2025-23006
blogs_tenable·2025-12-17·CVSS 9.8
[CRITICAL] Exploitation of CVE-2025-40602 chained with CVE-2025-23006
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Tenable
CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited
blogs_tenable·2025-01-23·CVSS 9.8
[CRITICAL] CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
blogs_tenable·2021-12-08·CVSS 9.8
[CRITICAL] SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Attack on Kaseya and the REvil story
The arrival of BlackMatter: DarkSide restored?
Q3 closures
Exploitation of vulnerabilities and new attack methods
Number of new ransomware modifications
Number of users attacked by ransomware Trojans
Geography of ransomware attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by cybercriminals during cyberattacks
Quarter highlights
Statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries tha
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Number of users attacked by ransomware Trojans
- Geography of ransomware attacks
- Top 10 most common families of ransomware Trojans
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution Q3 2021
- IT threat evolution in Q3 2021. PC statistics
- IT threat evolution in Q3 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2021:
- Kaspersky solutions blocked 1,098,968,315 attacks from online reso
Crowdstrike
How eCrime Groups Leverage an Old SonicWall Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How eCrime Groups Leverage an Old SonicWall Vulnerability
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
NEWSROOM
blogs_crowdstrike
NEWSROOM
Upcoming events
Conference
CrowdTour
Find a city near you
Summit
Day Zero 2026
Las Vegas, NV
Login
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Experienced a breach?
Blog
Contact us
Careers
Latest Innovations
## FEATURED NEWS
CNBC
Some LLMs can find vulnerabilities in code, but that isn’t stopping breaches, says CrowdStrike CEO George Kurtz
CNBC
Some LLMs can find vulnerabilities in code, but that isn’t stopping breaches, says CrowdStrike CEO George Kurtz
CNBC
CRN
CrowdStrike AgentWorks Expansion Gives ‘Big’ Boost To Security For Partners: CEO George Kurtz
CRN
Forbes
CrowdStrike At GTC Makes The Case For AI Native Security
Forbes
CNBC
Mad Money: CrowdStrike was able to change AI narrative all b
Crowdstrike
News Archive
blogs_crowdstrike
News Archive
Upcoming events
Conference
CrowdTour
Find a city near you
Summit
Day Zero 2026
Las Vegas, NV
Login
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Experienced a breach?
Blog
Contact us
Careers
Latest Innovations
## News
26-Mar-2026 | CRN
CrowdStrike AgentWorks Expansion Gives ‘Big’ Boost To Security For Partners: CEO George Kurtz
Read
26-Mar-2026 | CNBC
Some LLMs can find vulnerabilities in code, but that isn’t stopping breaches, says CrowdStrike CEO George Kurtz
Read
23-Mar-2026 | MSSP Alert
CrowdStrike Brings AI Security to the Endpoint – and the Timing Makes Sense
Read
23-Mar-2026 | Security Boulevard
CrowdStrike Redefines Cybersecurity Architecture for Autonomous AI
Read
23-Mar-2026 | SiliconA
2019-12-17
Published
2021-11-03
Added to CISA KEV
Exploited in the wild