HighPublic exploit

Arbitrary File Deletion in SonicWall SMA100

IdentifiersCVE-2025-32819CWE-22

CVE-2025-32819 is an authenticated path traversal / arbitrary file deletion vulnerability in SonicWall SMA100 appliances. According to the provided content, a remote attacker with valid SSLVPN user privileges can bypass path traversal checks and delete arbitrary files on the appliance. The flaw affects SMA100 and is described as allowing an authenticated SSLVPN user to manipulate file paths in a way that defeats intended traversal protections, resulting in deletion of attacker-chosen files. The content further indicates this issue is one of a set of SMA100 vulnerabilities disclosed in 2025 and that it may be chainable with related flaws for more severe outcomes.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote authenticated low-privilege SSLVPN user to delete arbitrary files on the target SMA100 appliance. The provided content specifically notes that this can potentially trigger a reboot to factory default settings, causing service disruption and loss of configuration. In broader attack chains, the vulnerability may also facilitate follow-on compromise when combined with other SMA100 flaws, and reporting in the content notes it may have been exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting SSLVPN access to trusted users and networks, minimizing the number of low-privilege accounts, enforcing MFA, resetting passwords and OTP bindings where compromise is suspected, and monitoring for indicators such as log gaps/deletions, unexpected reboots, persistent unexplained admin sessions, and unauthorized configuration changes. For suspected compromise, the content recommends immediate firmware upgrade, rebuilding SMA 500v where applicable, and replacing certificates whose private keys were stored on the appliance.

Remediation

Patch, then assume compromise.

Upgrade affected SonicWall SMA100 appliances to a fixed firmware release. The provided content states SonicWall disclosed and patched CVE-2025-32819 in June 2025 and strongly recommended upgrading SMA100 devices to firmware version 10.2.2.2-92sv. Because SMA100 devices are approaching or have reached end-of-support, organizations should also plan migration off legacy SMA100 platforms where possible.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SonicwallSma 100 Firmwareoperating_system

SonicwallSma 200 Firmwareoperating_system

SonicwallSma 210 Firmwareoperating_system

SonicwallSma 400 Firmwareoperating_system

SonicwallSma 410 Firmwareoperating_system

SonicwallSma 500v Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

A SonicWall SMA100 vulnerability that can contribute to remote code execution scenarios (listed among three SMA 100 flaws).

cyberthroneNews

Dec 24, 2025

From Disclosure to Detonation: CISA KEV Catalog Trends 2025

A path traversal vulnerability in SonicWall SMA 100 appliances, part of a set of critical flaws allowing remote code execution with root privileges. Actively exploited in the wild.

dark readingNews

Sep 24, 2025

Threat Actor Deploys 'OVERSTEP' Backdoor in Ongoing SonicWall SMA Attacks

An authenticated file deletion vulnerability in SonicWall SMA referenced as a possible vulnerability that could have been exploited by UNC6148.

the hacker newsNews

Jul 16, 2025

UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

A known vulnerability in SonicWall SMA 100 series appliances that may allow remote attackers to gain unauthorized access.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-32819

NVD

nvd.nist.gov/vuln/detail/CVE-2025-32819

MITRE CWE · CWE-22

cwe.mitre.org

Vendor Advisory

psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0011

Third Party Advisory

old.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025