cbcvebase.
CVE-2025-32819
published 2025-05-07

CVE-2025-32819: A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file…

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.79%
93.2th percentile
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.

Affected

7 ranges
VendorProductVersion rangeFixed in
sonicwallsma100
sonicwallsma_100_firmware< 10.2.1.15-81sv10.2.1.15-81sv
sonicwallsma_200_firmware< 10.2.1.15-81sv10.2.1.15-81sv
sonicwallsma_210_firmware< 10.2.1.15-81sv10.2.1.15-81sv
sonicwallsma_400_firmware< 10.2.1.15-81sv10.2.1.15-81sv
sonicwallsma_410_firmware< 10.2.1.15-81sv10.2.1.15-81sv
sonicwallsma_500v_firmware< 10.2.1.15-81sv10.2.1.15-81sv

Detection & IOCsextracted from sources · hover to see the quote

path/fileshare/sonicfiles
otherRacNumber=44
pathpersist.db
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819)"; flow:established,to_server; http.uri; content:"/fileshare/sonicfiles"; fast_pattern; startswith; content:"RacNumber|3d|44"; content:"swcctn|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/; reference:cve,2025-32819; classtype:web-application-attack; sid:2065053; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_06, cve CVE_2025_32819, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor HTTP requests to /fileshare/sonicfiles with RacNumber=44 and path traversal sequences (double-dot encoded variants) in the swcctn parameter — this is the specific URI pattern exploited by CVE-2025-32819 for arbitrary file deletion.
  • Detect path traversal bypass attempts using encoded dot-dot sequences (%2e, %2E) and encoded slashes (%2f, %2F, %5c, %5C) in SMA100 fileshare URI parameters.
  • On SMA100 appliances, investigate unexpected reboots to factory default settings, which may indicate successful exploitation of CVE-2025-32819 (arbitrary file deletion triggering factory reset).
  • Look for a dropped ELF binary decoded from base64 on SMA100 appliances — this is the OVERSTEP rootkit installation method used post-exploitation.
  • Check SMA100 appliances for theft or access of persist.db and certificate files, which contain credentials, OTP seeds, and certificates enabling persistent attacker access.
  • Investigate SMA100 appliances for manually cleared system logs followed by a reboot — this is the post-OVERSTEP-installation anti-forensic pattern used by UNC6148.
  • Acquire disk images of potentially compromised SMA appliances rather than performing live forensics, as the OVERSTEP rootkit's user-mode hiding capabilities can interfere with live analysis.
  • Detect unexpected SSL-VPN sessions using local administrator credentials on SMA100 appliances, particularly followed by reverse shell activity — shell access is not possible by design on these appliances.
  • ·CVE-2025-32819 requires the attacker to already hold SSLVPN user privileges — detection should be correlated with authenticated sessions, not unauthenticated traffic.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.