SonicWall urges customers to ‘immediately’ patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution.
The vulnerability tracked as CVE-2021-20026 affects NSM 2.2.0-R10-H1 and earlier and it was patched by SonicWall in the NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions.
SonicWall rated it with an 8.8/10 severity score and authenticated attackers can exploit it for OS command injection in low complexity attacks that don’t require user interaction.
“This critical vulnerability potentially allows a user to execute commands on a device’s operating system with the highest system privileges (root),” SonicWall explains.
“This vulnerability only impacts on-premises NSM deployments. SaaS versions of NSM are not affected.”
While the company did not mention an immediate danger of attackers exploiting this vulnerability or active in the wild exploitation, SonicWall is urging customers to patch their devices immediately.
“SonicWall customers using the on-premises NSM versions outlined below should upgrade to the respective patched version immediately,” the company said.
When asked to comment earlier today, SonicWall refused to provide any details regarding CVE-2021-20026 active exploitation and replied with the information available in the security advisory.
Several SonicWall zero-days abused in the wild this year
Threat actors have targeted multiple SonicWall appliance vulnerabilities this year, several of them zero-days actively exploited in the wild before the company released patches.
In February, SonicWall patched an actively exploited zero-day impacting the SMA 100 series of SonicWall networking devices.
A financially motivated threat actor, tracked by Mandiant threat analysts as UNC2447, exploited another zero-day in SonicWall SMA 100 Series VPN appliances to deploy newly discovered FiveHands ransomware on the networks of North American and European targets.
The same zero-day bug was also abused in attacks targeting SonicWall’s internal systems in January and later indiscriminately abused in the wild.
In March, SonicWall patched three more zero-days exploited in the wild and affecting the company’s on-premises and hosted Email Security (ES) products.
As Mandiant found while investigating the attacks, these zero-days were abused by a group tracked as UNC2682 to backdoor systems using BEHINDER web shells which allowed the attackers to move laterally through their victims’ networks and access emails and files.
Update: Added SonicWall comments.