cbcvebase.
CVE-2019-7481
published 2019-12-17

CVE-2019-7481: Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version…

PriorityP192high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.91%
100.0th percentile
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.

Affected

5 ranges
VendorProductVersion rangeFixed in
redhatansible>= 0 < 2.0.0.2-2ubuntu1.32.0.0.2-2ubuntu1.3
redhatansible>= 0 < 2.5.1+dfsg-1ubuntu0.12.5.1+dfsg-1ubuntu0.1
sonicwallsma
sonicwallsma100
sonicwallsma_100_firmware< 9.0.0.49.0.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/supportInstaller
commandfromEmailInvite=1&customerTID=unpossible'+UNION+SELECT+0,0,0,11132*379123,0,0,0,0--
  • Detect exploitation attempts by monitoring POST requests to /cgi-bin/supportInstaller with SQL UNION SELECT payloads in the customerTID parameter, particularly with the User-Agent 'MSIE'.
  • A successful exploitation response body will contain the arithmetic result '4220397236' (11132 * 379123), which can be used as a detection canary in HTTP response bodies.
  • SonicWall SRA device logs showing 'Virtual Assist Installing Customer App' with a python-requests user-agent may indicate active exploitation activity by eCrime actors.
  • Monitor SonicWall SRA device logs for the message 'Virtual Assist Installing Customer App' as an indicator of exploitation attempts.
  • ·CVE-2019-7481 affects SonicWall SRA 4600 devices running firmware 8.x and 9.x, not just SMA100 devices. Patching SMA devices to 9.0.0.5 does NOT remediate the vulnerability on SRA devices — they remain vulnerable despite applying the SMA-targeted patch.
  • ·The older SRA device remains vulnerable even after patching to version 9.0.0.5, which is the patch prescribed for SMA devices. Do not assume SRA devices are protected by applying SMA patches.
  • ·The ability to leverage CVE-2019-7481 against SRA 4600 devices was previously undisclosed by SonicWall, meaning defenders may have incorrectly assumed SRA devices were not in scope for this CVE.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.