Sonicwall NetExtender vulnerability exploited by APT group

[German]Sonicwall has been attacked by an ATP group and the attackers probably had access to the provider’s code. Sonicwall has already confirmed this. Those who use Sonicwall products should respond.


SonicWall is an IT infrastructure company from the USA that offers firewall and security solutions. They claims that SonicWall products and real-time security services can help companies detect Sunburst and Supernova malware, as well as other attacks on vulnerable systems. Now, it seems, they’ve fallen victim to a cyber attack themselves, due to a 0-day exploit. German blog reader Stefan A. emailed me this evening to alert me about a cyber security incident – thanks for the information. Sonicwall has confirmed an cyber attack within this announcement on January 22, 2021.

Urgent Security Notice: NetExtender VPN Client 10.X, SMA 100 Series Vulnerability

NOTE: We will continue to update this knowledge base (KB) article as more information and mitigation steps are available.

SonicWall provides cybersecurity products, services and solutions designed to help keep organizations safe from increasingly sophisticated cyber threats. As the front line of cyber defense, we have seen a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations.

We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government.

Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:

  • NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance

The NetExtender VPN client and SMB-oriented SMA 100 series are used for providing employees/users with remote access to internal resources. The SMA 1000 series is not susceptible to this vulnerability and utilizes clients different from NetExtender.

In the linked article, Sonicwall provides advice on what customers can do as a precaution or what actions they should take in light of the ATP attack. 

  • For Sonicwall SMA 100 series: Block / restrict access to SSLVPN service via a firewall (whitelisting).
  • For Sonicwall Firewall series: Disable / restrict SSLVPN service on firewall (whitelisting).

To configure the access, there is this Sonicwall post. In addition, Sonicwall recommends enabling two-factor authentication (2FA) in the on firewall, SMA and Mysonicwall. Details can be found in the Sonicwall post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *