Issue 61: Sonic Wall SMA Exploited, Critical Apple Security Updates & Increased Scanning of Palo Alto GlobalProtect

Your top stories 18 April 2025:

1. CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices
2. Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks
3. Increased Scanning of Palo Alto GlobalProtect Portals Raises Security Concerns

Welcome back to Critical Chatter. Your weekly round up of current cybersecurity threats, vulnerabilities and active exploits. Curated by your humble SOC team. 👋

CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalogue. There is active exploitation of the flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways.

This high-severity vulnerability (CVSS score: 7.2) is linked to an operating system command injection issue in the SMA100 management interface, allowing remote authenticated attackers to execute arbitrary commands as the low-privilege "nobody" user, potentially leading to full code execution.

The vulnerability affects SMA 200, 210, 400, 410, and 500v devices deployed on ESX, KVM, AWS, and Azure platforms, specifically those running firmware versions 10.2.1.0-17sv, 10.2.0.7-34sv, and 9.0.0.10-28sv and earlier. These issues have been addressed in firmware versions 10.2.1.1-19sv, 10.2.0.8-37sv, and 9.0.0.11-31sv.

Although the specifics of the in-the-wild exploitation remain unclear, SonicWall has confirmed the vulnerability is being targeted.

In response, CISA has mandated that all Federal Civilian Executive Branch agencies implement the required patches by 7 May 2025 to protect against this active threat.

TLDR; CISA has warned of active exploitation of a critical command injection flaw (CVE-2021-20035) in SonicWall SMA 100 Series devices and mandated federal agencies to patch affected systems by May 7, 2025.

Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks

Apple has issued critical security updates across iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two actively exploited vulnerabilities: CVE-2025-31200 and CVE-2025-31201. CVE-2025-31200 (CVSS 7.5) involves a memory corruption flaw in the Core Audio framework that could enable code execution through a maliciously crafted media file.

CVE-2025-31201 (CVSS 6.8) impacts the RPAC component and allows attackers with arbitrary read/write access to bypass Pointer Authentication. Apple resolved these flaws via improved bounds checking and by removing the vulnerable code. The issues were discovered by Apple and Google’s Threat Analysis Group, and are being used in highly targeted attacks against specific iOS users.

These two vulnerabilities bring the total number of actively exploited zero-days addressed by Apple in 2025 to five.

Previous patches covered CVE-2025-24085 (CVSS 7.8), a use-after-free flaw in Core Media; CVE-2025-24200 (CVSS 4.6), an authorisation bypass in Accessibility; and CVE-2025-24201 (CVSS 7.1), an out-of-bounds write in WebKit used to escape the Web Content sandbox. The latest patches are available for iOS 18.4.1 and iPadOS 18.4.1 (iPhone XS and newer, iPads from 7th gen and up), macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1.

Given the confirmed exploitation in the wild, users should update immediately to avoid ongoing threats.

TLDR; Apple has released urgent security updates to patch two actively exploited zero-day flaws (CVE-2025-31200 and CVE-2025-31201) targeting iOS users in sophisticated attacks. Users should updates across all affected devices ASAP.

Increased Scanning of Palo Alto GlobalProtect Portals Raises Security Concerns

A surge in scanning activity targeting Palo Alto Networks GlobalProtect login portals has raised alarms, with researchers warning it may precede an exploit of a new or existing vulnerability.

According to GreyNoise, over 24,000 unique IP addresses have engaged in scanning, peaking at 20,000 daily on 17 March 2025 and sustaining this level until 26 March. Of these, 23,800 were deemed suspicious, while 154 were classified as malicious. Most scanning attempts originated from the United States and Canada, primarily targeting US-based systems.

GreyNoise has noted a pattern where such spikes in scanning activity typically precede vulnerability disclosures by two to four weeks. Researchers believe the scans may serve as reconnaissance to test network defences before potential exploitation attempts. Additionally, a separate spike in PAN-OS crawler activity was observed on 26 March, involving 2,580 IPs, drawing comparisons to last year’s ArcaneDoor espionage campaign against edge devices.

Administrators of Palo Alto Networks GlobalProtect systems should review logs since mid-March, monitor for compromise, harden login portals, and block known malicious IPs. Palo Alto Networks acknowledged the issue and has advised customers to run the latest PAN-OS versions while investigations continue.

TLDR; A significant spike in scanning of Palo Alto GlobalProtect portals, likely reconnaissance ahead of potential exploitation, has sparked security warnings, with admins urged to review logs, harden defences and update PAN-OS.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup.