In late January 2021, SonicWall disclosed that its own internal systems and Secure Mobile Access (SMA) 100 series VPN appliances were targeted by sophisticated threat actors exploiting probable zero-day vulnerabilities. The incident was significant because SonicWall is a major cybersecurity vendor whose products are widely deployed by enterprises and managed service providers to provide remote access — meaning a breach of SonicWall’s own infrastructure or exploitation of its appliances could cascade to thousands of downstream customers.

The primary vulnerability disclosed was CVE-2021-20016, an SQL injection flaw in the SonicWall SSLVPN SMA 100 series (firmware version 10.x) that allowed unauthenticated remote attackers to access credential and session information stored on the device. The affected hardware included the SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (virtual) appliances. Successful exploitation gave attackers the ability to harvest administrator and user credentials and potentially achieve remote code execution on the affected devices.

SonicWall initially disclosed on 23 January 2021 that it had identified a coordinated attack targeting its internal systems, which leveraged zero-day vulnerabilities in SonicWall products. The NCC Group detected indiscriminate in-the-wild exploitation shortly after. SonicWall issued an emergency firmware update (version 10.2.0.5-29sv) to address CVE-2021-20016 on 3 February 2021, following CISA’s publication of an alert on 2 February 2021 urging immediate patching.

The exploitation had serious downstream consequences: FireEye later reported that DarkSide ransomware operators were using CVE-2021-20016 as an initial access vector in ransomware and extortion campaigns against SonicWall customers. Attackers who obtained harvested VPN credentials from vulnerable SMA 100 appliances could use them to authenticate directly to victim corporate networks, bypassing perimeter controls entirely. The Coveware ransomware response firm estimated that several thousand devices were potentially exposed.

The incident also prompted Mandiant to publish research identifying a separate threat cluster exploiting SonicWall devices to deploy a novel firmware-persistent backdoor (later linked to Chinese-nexus actors in 2022 reports), illustrating how network perimeter appliances from security vendors had become high-value targets. SonicWall urged customers to update immediately, enable multi-factor authentication on SMA portals, and review access logs for signs of compromise. The event was an early signal in a broader 2021 trend of threat actors specifically targeting VPN and remote-access appliances as primary initial access vectors.