www.belgium.be Logo of the federal government

WARNING: IMMINENT THREAT RANSOMWARE OPERATORS ARE EXPLOITING SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware

Advisory #2020-013
Affected software: 
SonicWall SRA 4600/1600 (EOL 2019)
SonicWall SRA 4200/1200 (EOL 2016)
SonicWall SSL-VPN 200/2000/400 (EOL 2013/2014)
SonicWall SMA 400/200 (Still Supported, in Limited Retirement Mode)
Credential Theft




The Centre for Cyber security Belgium (CCB), is aware of an imminent ransomware threat targetting unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices
Threat actor groups are leveraging  stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.
Organisations that are using vulnerable SonicWall appliances must update or disconnect their devices immediately, and reset all passwords and/or enable MFA! 
Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack. 

Recommended Actions

SRA 4600/1600 (EOL 2019) / SRA 4200/1200 (EOL 2016) / SSL-VPN 200/2000/400 (EOL 2013/2014)
  •     Disconnect immediately 
  •     Reset passwords
SMA 400/200 (Still Supported, in Limited Retirement Mode)
  •     Update to or immediately
  •     Reset passwords
  •     Enable MFA
Remark: Whilst not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate vulnerabilities discovered in early 2021.
SMA 210/410/500v (Actively Supported)
  •     Firmware 9.x should immediately update to or later
  •     Firmware 10.x should immediately update to or later
 General Advice
  • The CCB advises administrators of vulnerable SonicWall appliances to follow the advice of Sonicwall as listed above.
  • The CCB advises organisations to upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion. 
  • The CCB urges organisations to do periodical check of their infrastructure to detect EOL devices timely and to replace them with supported and secure appliances.