SonicWall on Monday warned of active exploitation attempts against a zero-day vulnerability in its Secure Mobile Access (SMA) 100 series devices.
The flaw, which affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v), came to light after the NCC Group on Sunday alerted it had detected “indiscriminate use of an exploit in the wild.”
Details of the exploit have not been disclosed to prevent the zero-day from being misused further, but a patch is expected to be available by the end of day on February 2, 2021.
“A few thousand devices are impacted,” SonicWall said in a statement, adding, “SMA 100 firmware prior to 10.x is unaffected by this zero-day vulnerability.”
On January 22, The Hacker News exclusively revealed that SonicWall had been breached as a consequence of a coordinated attack on its internal systems by exploiting “probable zero-day vulnerabilities” in its SMA 100 series remote access devices.
Then last week, on January 29, the San Jose-based company issued an update stating it had so far only observed the use of previously stolen credentials to log into the SMA 100 series appliances.
While SonicWall has not shared many details about the intrusion citing an ongoing investigation, the latest development points to evidence that a critical zero-day in the SMA 100 series 10.x code may have been exploited to carry out the attack.
SonicWall is internally tracking the vulnerability as SNWLID-2021-0001.
The company said SonicWall firewalls and SMA 1000 series appliances, as well as all respective VPN clients, are unaffected and that they remain safe to use.
In the interim, the company recommends customers enable multi-factor authentication (MFA) and reset user passwords for accounts that utilize the SMA 100 series with 10.X firmware.
“If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall,” the company said. Users also have the option of shutting down the vulnerable SMA 100 series devices until a patch is available or load firmware version 9.x after a factory default settings reboot.