SonicWall’s ‘NetExtender VPN’ Hacked by Highly Sophisticated Actors

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

‘SonicWall’, the American internet appliance and award-winning network security company, has announced the occurrence of a coordinated attack against its internal systems. As the firm explained, the infiltrators appear to be highly sophisticated threat actors as they leveraged zero-day vulnerabilities in the ‘NetExtender VPN’ client and the ‘Secure Mobile Access’ made by the company itself and used internally by the employees.

According to reports that surfaced on The Hacker News, SonicWall has had some notable outage events earlier in the week, a result of the aforementioned hack. As for what the hackers managed to access before they were eventually thwarted, the main thing was source code hosted on the company’s GitLab repository. However, this hasn’t been officially confirmed by SonicWall, so we’re reproducing it with prudence.

The company has identified the zero-days used by the hackers and is in the process of addressing them with a fixing patch. Naturally, this will take some time, so owners of the affected products are urged to read the security notice issued by the firm today and follow the instructions on how to apply effective mitigations. Most importantly, enabling multi-factor authentication on all SonicWall products.

The impacted products are the following:

The firm clarifies that the SMA 100 Series isn’t susceptible to the identified flaws. The NetExtender 10.x could also be invincible to attacks of this kind depending on their whitelisting and firewall access configuration. For more details on that, check out the urgent security notice.

This is yet another example of a large security vendor falling victim to sophisticated hackers, potentially opening up a channel for supply chain attacks targeting high-profile clients of the company. It happened with SolarWinds leading to the subsequent compromise of FireEye, Microsoft, Malwarebytes, and more.

In SonicWall’s case, we have a different path but of the same level of sophistication. Certainly, access to its products’ source code isn’t a good thing, but at least the firm detected the malicious activity before the actors had the chance to use them as a stepping stone to accessing its clients' systems.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: