CVE-2025-32819
published 2025-05-07CVE-2025-32819: A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file…
PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.79%
93.2th percentile
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma100 | — | — |
| sonicwall | sma_100_firmware | < 10.2.1.15-81sv | 10.2.1.15-81sv |
| sonicwall | sma_200_firmware | < 10.2.1.15-81sv | 10.2.1.15-81sv |
| sonicwall | sma_210_firmware | < 10.2.1.15-81sv | 10.2.1.15-81sv |
| sonicwall | sma_400_firmware | < 10.2.1.15-81sv | 10.2.1.15-81sv |
| sonicwall | sma_410_firmware | < 10.2.1.15-81sv | 10.2.1.15-81sv |
| sonicwall | sma_500v_firmware | < 10.2.1.15-81sv | 10.2.1.15-81sv |
Detection & IOCsextracted from sources · hover to see the quote
path/fileshare/sonicfiles
otherRacNumber=44
pathpersist.db
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819)"; flow:established,to_server; http.uri; content:"/fileshare/sonicfiles"; fast_pattern; startswith; content:"RacNumber|3d|44"; content:"swcctn|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/; reference:cve,2025-32819; classtype:web-application-attack; sid:2065053; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_06, cve CVE_2025_32819, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Monitor HTTP requests to /fileshare/sonicfiles with RacNumber=44 and path traversal sequences (double-dot encoded variants) in the swcctn parameter — this is the specific URI pattern exploited by CVE-2025-32819 for arbitrary file deletion.
- →Detect path traversal bypass attempts using encoded dot-dot sequences (%2e, %2E) and encoded slashes (%2f, %2F, %5c, %5C) in SMA100 fileshare URI parameters.
- →On SMA100 appliances, investigate unexpected reboots to factory default settings, which may indicate successful exploitation of CVE-2025-32819 (arbitrary file deletion triggering factory reset).
- →Look for a dropped ELF binary decoded from base64 on SMA100 appliances — this is the OVERSTEP rootkit installation method used post-exploitation.
- →Check SMA100 appliances for theft or access of persist.db and certificate files, which contain credentials, OTP seeds, and certificates enabling persistent attacker access.
- →Investigate SMA100 appliances for manually cleared system logs followed by a reboot — this is the post-OVERSTEP-installation anti-forensic pattern used by UNC6148.
- →Acquire disk images of potentially compromised SMA appliances rather than performing live forensics, as the OVERSTEP rootkit's user-mode hiding capabilities can interfere with live analysis.
- →Detect unexpected SSL-VPN sessions using local administrator credentials on SMA100 appliances, particularly followed by reverse shell activity — shell access is not possible by design on these appliances.
- ·CVE-2025-32819 requires the attacker to already hold SSLVPN user privileges — detection should be correlated with authenticated sessions, not unauthenticated traffic.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xfvq-95g5-jfq9: A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitra
ghsa_unreviewed·2025-05-07
CVE-2025-32819 [HIGH] CWE-552 GHSA-xfvq-95g5-jfq9: A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitra
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
VulnCheck
SonicWall sma_100_firmware Files or Directories Accessible to External Parties
vulncheck·2025·CVSS 8.8
CVE-2025-32819 [HIGH] SonicWall sma_100_firmware Files or Directories Accessible to External Parties
SonicWall sma_100_firmware Files or Directories Accessible to External Parties
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
Affected: SonicWall sma_100_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/; https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor; https://fortiguard.fortinet.com/outbreak-alert/sonicwa
Suricata
ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819)
suricata·2025-10-06·CVSS 8.8
CVE-2025-32819 [HIGH] ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819)
ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819)"; flow:established,to_server; http.uri; content:"/fileshare/sonicfiles"; fast_pattern; startswith; content:"RacNumber|3d|44"; content:"swcctn|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/; reference:cve,2025-32819; classtype:web-application-attack; sid:2065053; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_06, cve CVE_2025_32819, deployment
No public exploits indexed.
Bleepingcomputer
SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
blogs_bleepingcomputer·2025-07-24·CVSS 6.5
CVE-2025-40599 [MEDIUM] SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## Sergiu Gatlan
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution.
The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability," the company said . "This vulnerability does not affect SonicWall SSL VPN SMA1000 series products or
Bleepingcomputer
SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
blogs_bleepingcomputer·2025-07-16·CVSS 6.5
[MEDIUM] SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## Ionut Ilascu
A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials.
Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”.
The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May.
Because files stolen from the vic
Bleepingcomputer
SonicWall urges admins to patch VPN flaw exploited in attacks
blogs_bleepingcomputer·2025-05-08·CVSS 8.8
CVE-2025-32819 [HIGH] SonicWall urges admins to patch VPN flaw exploited in attacks
## SonicWall urges admins to patch VPN flaw exploited in attacks
## Sergiu Gatlan
SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.
Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.
The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.
"SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release
2025-05-07
Published
Exploited in the wild