CVE-2019-7481

CVE-2019-7481 is a high-severity vulnerability in Sonicwall Sma 100 Firmware with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-89.

Key facts

Description

Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.

CVE-2019-7481: SonicWall SMA100 Unauthenticated Resource Access

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-7481
Product SonicWall SMA100
CVSS v3 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2 5.0 — AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE CWE-89
EPSS 0.99906 (99.97th percentile)
KEV Listed since 2021-11-03
EU Exploited Yes (since 2021-11-03)

Summary

CVE-2019-7481 affects SonicWall SMA100 secure mobile access appliances. An unauthenticated, remote attacker can gain read-only access to resources that should require authentication. The vulnerability has been actively exploited in the wild and is tracked on both the CISA KEV catalog and the EU Exploited Vulnerabilities Database.

Background

SonicWall SMA100 is a secure remote access appliance used by organizations to provide VPN and mobile access to corporate resources. In December 2019, SonicWall disclosed that SMA100 firmware contained a vulnerability that allowed unauthenticated users to access protected resources without valid credentials. The issue has since been confirmed as actively exploited by threat actors.

Root Cause

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection").

The vulnerability stems from insufficient input validation in the SMA100 firmware. An attacker can craft requests that bypass authentication checks by injecting malicious input into query parameters or request fields, leading to unauthorized access to backend resources. The authentication boundary is not properly enforced, allowing the attacker to retrieve data without valid session credentials.

Impact

  • Confidentiality (HIGH): Unauthenticated remote attackers can read sensitive data from the appliance.
  • Integrity (NONE): No direct ability to modify data or configuration.
  • Availability (NONE): No direct denial-of-service impact.

The CVSS v3 score of 7.5 reflects the ease of exploitation (network-accessible, no privileges required, no user interaction) combined with high confidentiality impact. The CVSS v2 score of 5.0 reflects partial confidentiality impact under the older scoring model. EPSS is extremely high at 0.99906, indicating near-certain active exploitation probability.

Exploitation Walkthrough

⚠️ Ethics Notice: This section describes the vulnerability mechanism from a defensive perspective only. No weaponized exploit code or step-by-step attack instructions are provided. Security practitioners should use this information for detection, patching, and defensive architecture.

An attacker can send specially crafted HTTP requests to the SMA100 management interface. The crafted input bypasses the authentication layer by exploiting the underlying input validation weakness. Once the boundary is crossed, the attacker can enumerate internal resources and retrieve data intended for authenticated users. Defensive teams should focus on:

  • Monitoring for anomalous HTTP requests to SMA100 endpoints from untrusted sources.
  • Looking for repeated GET/POST requests with unusual parameter patterns.
  • Alerting on authentication bypass attempts in appliance logs.

Affected and Patched Versions

  • Affected: SonicWall SMA100 firmware version 9.0.0.3 and earlier.
  • Patched: A fixed firmware version was released by SonicWall. Administrators should consult the official SonicWall advisory for the latest patched version. (Specific patched version number is not available in the source data; verify via SonicWall PSIRT.)

Remediation

  1. Upgrade firmware: Apply the latest patched firmware from SonicWall for SMA100 appliances.
  2. Compensating controls:
    • Restrict SMA100 management interfaces to authorized IP ranges only.
    • Deploy network segmentation to isolate SMA100 appliances from untrusted networks.
    • Enable MFA for all administrative access if supported.
    • Monitor for unauthorized access attempts and anomalous outbound connections from SMA100 appliances.

Detection

  • Review SMA100 access logs for requests to protected resources without valid authentication tokens.
  • Correlate EPSS and KEV indicators: this CVE has a 0.99906 EPSS score and is on the CISA KEV catalog — prioritize scanning for vulnerable SMA100 instances.
  • Monitor for unexpected file or resource access patterns from SMA100 appliances.

Assessment

EPSS of 0.99906 places this vulnerability in the top 0.03% of all CVEs for exploitation likelihood. Combined with its presence on both the CISA KEV catalog and the EU exploited vulnerabilities list since November 2021, this issue is a confirmed, high-priority threat. Organizations should treat any SMA100 running firmware 9.0.0.3 or earlier as compromised until proven otherwise and prioritize patching or isolation.

Key lessons:

  1. Network-exposed appliances with authentication bypass vulnerabilities are high-value targets for attackers.
  2. EPSS and KEV data should drive prioritization — a CVSS 7.5 with near-certain exploitation is more urgent than many higher-scoring but unexploited issues.

References

Frequently asked questions

What is CVE-2019-7481?
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
How severe is CVE-2019-7481?
CVE-2019-7481 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2019-7481 being actively exploited?
Yes. CVE-2019-7481 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-7481?
CVE-2019-7481 affects Sonicwall Sma 100 Firmware. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-7481?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-7481 have an EU (EUVD) identifier?
Yes. CVE-2019-7481 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-17023. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-7481 published?
CVE-2019-7481 was published on 2019-12-17 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Sonicwall Sma 100 Firmware

All CVEs affecting Sonicwall Sma 100 Firmware →

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →