SonicWall SRA & SMA Remote Access Devices Vulnerability Advisory | July 2021

Threat actors are actively exploiting known and previously patched vulnerabilities in SonicWall remote access products. Here's what you need to know.


On July 15, 2021, SonicWall released a critical security notice to customers that threat actors were exploiting a known and previously patched vulnerability in their Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. They were made aware the threat actors were targeting the products running unpatched and end-of-life (EOL) 8.x firmware in an “imminent ransomware campaign using stolen credentials.” 

The affected products include:  

  • SRA 4600/1600 
  • SRA 4200/1200 
  • SSL-VPN 200/2000/400 
  • SMA 400/200
  • SMA 210/410/500v (Not targeted in the campaign but encouraged to update to the latest version)

Next Steps for All SonicWall SRA & SMA Customers:

If your organization uses SonicWall SRA or SMA products, you should:

  1. Review SonicWall’s Security Advisory for more detailed steps and guidance.
  2. Itemize all instances of SonicWall SMA and SRA products hosted by your organization or on your organization's behalf.
  3. Organizations using the EOL SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances per guidance below: 
    • SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016), SSL-VPN 200/2000/400 (EOL 2013/2014)
      • Disconnect immediately 
      • Reset passwords
    • SMA 400/200 (Still Supported, in Limited Retirement Mode)
      • Update to or immediately
      • Reset passwords
      • Enable MFA
    • SMA 210/410/500v 
      • Firmware 9.x should immediately update to or later
      • Firmware 10.x should immediately update to or later
  4. Organizations using any version of SMA and SRA should consider a global password reset within those products. This would prevent use of credentials stolen prior to any upgrades or patches.
  5. If your organization is impacted by a ransomware incident, or identifies suspicious activity, notify Corvus of a potential cyber claim via (Cyber policyholders) or (Tech E&O policyholders).