HighCISA KEVExploited in the wildPublic exploit

SQL Injection in SonicWall SMA100

IdentifiersCVE-2019-7481CWE-89· Improper Neutralization of Special…

CVE-2019-7481 is a vulnerability in SonicWall SMA100 appliances that allows an unauthenticated user to gain read-only access to unauthorized resources. The provided content explicitly identifies it as a SQL injection vulnerability affecting SMA100 version 9.0.0.3 and earlier. Based on the available information, the flaw can be exploited remotely without authentication against exposed appliances, resulting in unauthorized retrieval of data or resources that should not be accessible to the attacker.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to obtain read-only access to unauthorized resources on the affected SonicWall SMA100 appliance. This can expose sensitive information resident on or accessible through the appliance and may facilitate follow-on intrusion activity by providing reconnaissance value, credential-related information, or other internal data useful for broader compromise. The supplied context also notes historical abuse of this CVE in ransomware intrusion campaigns targeting internet-exposed SonicWall appliances.

Mitigation

If you can’t patch tonight, do this now.

If immediate remediation is not possible, reduce exposure by removing affected SMA100 appliances from direct internet access, restricting access to trusted source IPs through firewall or VPN policy, and monitoring for suspicious access to appliance resources. Because the vulnerability is exploitable without authentication, compensating controls should focus on network isolation and rapid retirement of unsupported devices. End-of-life SRA/SMA appliances with no available patches should be decommissioned.

Remediation

Patch, then assume compromise.

Upgrade affected SonicWall SMA100 appliances to a fixed release later than version 9.0.0.3. If the appliance is end-of-life and no vendor patch is available, decommission and replace it with a supported platform. Apply vendor security guidance for SMA100 products and ensure internet-exposed vulnerable instances are remediated as a priority.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SonicwallSma 100 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cyber security newsNews

Mar 2, 2026

Hackers Attacking SonicWall Firewalls from 4,000+ unique IP Addresses to Exploit Vulnerabilities

A vulnerability affecting SonicWall SRA appliances; the content states there are no available patches for impacted end-of-life devices, so removal/decommissioning is recommended.

greynoise blogNews

Feb 27, 2026

Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure

A SonicWall SRA-related vulnerability explicitly called out as having no patches available on end-of-life appliances; the content recommends decommissioning/disconnecting affected SRA devices.

tenable blogNews

Dec 17, 2025

CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited

A SQL injection vulnerability in SonicWall SMA100.

medium lcamNews

Apr 7, 2023

Makop: The Toolkit of a Criminal Gang | by L M | Medium

A vulnerability affecting SonicWall SMA100 appliances that was referenced as part of an exploitation campaign on internet-exposed devices to deploy LockBit ransomware.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2019-7481

NVD

nvd.nist.gov/vuln/detail/CVE-2019-7481

MITRE CWE · CWE-89

Improper Neutralization of Special Elements…

Vendor Advisory

psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0016

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7481