CVE-2019-7481
CVE-2019-7481 is a high-severity vulnerability in Sonicwall Sma 100 Firmware with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-89.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-17023
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-89
- Affected product: Sonicwall Sma 100 Firmware
- Published:
- Last modified:
Description
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
CVE-2019-7481: SonicWall SMA100 Unauthenticated Resource Access
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2019-7481 |
| Product | SonicWall SMA100 |
| CVSS v3 | 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSS v2 | 5.0 — AV:N/AC:L/Au:N/C:P/I:N/A:N |
| CWE | CWE-89 |
| EPSS | 0.99906 (99.97th percentile) |
| KEV | Listed since 2021-11-03 |
| EU Exploited | Yes (since 2021-11-03) |
Summary
CVE-2019-7481 affects SonicWall SMA100 secure mobile access appliances. An unauthenticated, remote attacker can gain read-only access to resources that should require authentication. The vulnerability has been actively exploited in the wild and is tracked on both the CISA KEV catalog and the EU Exploited Vulnerabilities Database.
Background
SonicWall SMA100 is a secure remote access appliance used by organizations to provide VPN and mobile access to corporate resources. In December 2019, SonicWall disclosed that SMA100 firmware contained a vulnerability that allowed unauthenticated users to access protected resources without valid credentials. The issue has since been confirmed as actively exploited by threat actors.
Root Cause
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ("SQL Injection").
The vulnerability stems from insufficient input validation in the SMA100 firmware. An attacker can craft requests that bypass authentication checks by injecting malicious input into query parameters or request fields, leading to unauthorized access to backend resources. The authentication boundary is not properly enforced, allowing the attacker to retrieve data without valid session credentials.
Impact
- Confidentiality (HIGH): Unauthenticated remote attackers can read sensitive data from the appliance.
- Integrity (NONE): No direct ability to modify data or configuration.
- Availability (NONE): No direct denial-of-service impact.
The CVSS v3 score of 7.5 reflects the ease of exploitation (network-accessible, no privileges required, no user interaction) combined with high confidentiality impact. The CVSS v2 score of 5.0 reflects partial confidentiality impact under the older scoring model. EPSS is extremely high at 0.99906, indicating near-certain active exploitation probability.
Exploitation Walkthrough
⚠️ Ethics Notice: This section describes the vulnerability mechanism from a defensive perspective only. No weaponized exploit code or step-by-step attack instructions are provided. Security practitioners should use this information for detection, patching, and defensive architecture.
An attacker can send specially crafted HTTP requests to the SMA100 management interface. The crafted input bypasses the authentication layer by exploiting the underlying input validation weakness. Once the boundary is crossed, the attacker can enumerate internal resources and retrieve data intended for authenticated users. Defensive teams should focus on:
- Monitoring for anomalous HTTP requests to SMA100 endpoints from untrusted sources.
- Looking for repeated GET/POST requests with unusual parameter patterns.
- Alerting on authentication bypass attempts in appliance logs.
Affected and Patched Versions
- Affected: SonicWall SMA100 firmware version 9.0.0.3 and earlier.
- Patched: A fixed firmware version was released by SonicWall. Administrators should consult the official SonicWall advisory for the latest patched version. (Specific patched version number is not available in the source data; verify via SonicWall PSIRT.)
Remediation
- Upgrade firmware: Apply the latest patched firmware from SonicWall for SMA100 appliances.
- Compensating controls:
- Restrict SMA100 management interfaces to authorized IP ranges only.
- Deploy network segmentation to isolate SMA100 appliances from untrusted networks.
- Enable MFA for all administrative access if supported.
- Monitor for unauthorized access attempts and anomalous outbound connections from SMA100 appliances.
Detection
- Review SMA100 access logs for requests to protected resources without valid authentication tokens.
- Correlate EPSS and KEV indicators: this CVE has a 0.99906 EPSS score and is on the CISA KEV catalog — prioritize scanning for vulnerable SMA100 instances.
- Monitor for unexpected file or resource access patterns from SMA100 appliances.
Assessment
EPSS of 0.99906 places this vulnerability in the top 0.03% of all CVEs for exploitation likelihood. Combined with its presence on both the CISA KEV catalog and the EU exploited vulnerabilities list since November 2021, this issue is a confirmed, high-priority threat. Organizations should treat any SMA100 running firmware 9.0.0.3 or earlier as compromised until proven otherwise and prioritize patching or isolation.
Key lessons:
- Network-exposed appliances with authentication bypass vulnerabilities are high-value targets for attackers.
- EPSS and KEV data should drive prioritization — a CVSS 7.5 with near-certain exploitation is more urgent than many higher-scoring but unexploited issues.
References
Frequently asked questions
- What is CVE-2019-7481?
- Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier.
- How severe is CVE-2019-7481?
- CVE-2019-7481 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2019-7481 being actively exploited?
- Yes. CVE-2019-7481 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-7481?
- CVE-2019-7481 affects Sonicwall Sma 100 Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-7481?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-7481 have an EU (EUVD) identifier?
- Yes. CVE-2019-7481 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-17023. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-7481 published?
- CVE-2019-7481 was published on 2019-12-17 and last updated on 2026-06-17.
References
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0016
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7481
Affected products (1)
- cpe:2.3:o:sonicwall:sma_100_firmware:*:*:*:*:*:*:*:*
More vulnerabilities in Sonicwall Sma 100 Firmware
- CVE-2021-20016 — Critical (CVSS 9.8): A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to…
- CVE-2019-7482 — Critical (CVSS 9.8): Stack-based buffer overflow in SonicWall SMA100 allows an unauthenticated user to execute arbitrary code in function…
- CVE-2025-32820 — High (CVSS 8.8): A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges can inject a path…
- CVE-2025-32819 — High (CVSS 8.8): A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path…
- CVE-2019-7486 — High (CVSS 8.8): Code injection in SonicWall SMA100 allows an authenticated user to execute arbitrary code in viewcacert CGI script.…
- CVE-2019-7485 — High (CVSS 8.8): Buffer overflow in SonicWall SMA100 allows an authenticated user to execute arbitrary code in DEARegister CGI script.…
All CVEs affecting Sonicwall Sma 100 Firmware →
Other CWE-89 (SQL Injection) vulnerabilities
- CVE-2026-54350 — Critical (CVSS 10.0): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase…
- CVE-2026-8054 — Critical (CVSS 10.0): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints…
- CVE-2026-42287 — Critical (CVSS 10.0): Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and…
- CVE-2026-3325 — Critical (CVSS 10.0): SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the…
- CVE-2025-10878 — Critical (CVSS 10.0): A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26.…
- CVE-2025-57792 — Critical (CVSS 10.0): Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of…