SonicWall has revealed that two currently patched security flaws affecting the SMA100 Secure Mobile Access (SMA) appliance are being utilized in the wild.
The vulnerabilities in question are listed below –
- CVE-2023-44221 (CVSS Score: 7.2) – SMA100 SSL – Inappropriate neutralization of special elements in the VPN management interface can cause a remote authentication attacker with administrative privileges to insert arbitrary commands as “who” users, leading to an OS command injection vulnerability.
- CVE-2024-38475 (CVSS score: 9.8) – Incorrect escape of output in MOD_REWRITE prior to Apache HTTP Server 2.4.59 causes the attacker to map URLs to file the location of the system that the server is allowed to serve.
Both defects affected SMA 100 series devices including SMA 200, 210, 400, 410, 500V and were dealt with in the following versions –
- CVE-2023-44221-10.2.1.10-62SV and later versions (fixed December 4, 2023)
- CVE-2024-38475-10.2.1.14-75SV and high-end version (fixed December 4th, 2024)
In an update to the recommendation on April 29, 2025, Sonic Wall said that vulnerabilities could be exploited in the wild, urging customers to check their SMA devices to ensure there are no unauthorized logins.
“During further analysis, Sonic Wall and our trusted security partners have identified additional exploitation techniques using CVE-2024-38475.
Currently there is no details about how the vulnerabilities are being exploited, who may have been targeted, and the scope and size of these attacks.
This disclosure comes just a few weeks after the US Cybersecurity and Infrastructure Security Agency (CISA) added another security flaw affecting the Sonicwall SMA 100 Series Gateway (CVE-2021-20035, CVSS score: 7.2) to a known exploit vulnerability (KVSS score: 7.2).
POC is now available
On May 1, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added both flaws to the Known Exploited Vulnerabilities (KEV) catalog, which requires federal agencies to patch them by May 22, 2025.
Cybersecurity company WatchTowr Labs has published additional technical details of the two vulnerabilities, focusing on how it can be used to bypass authentication using CVE-2024-38475, a flaw present in Apache HTTP servers and gain administrative control over vulnerable Sonicwall SMA appliances.
Meanwhile, CVE-2023-44221 is described as a post-authentication command injection vulnerability affecting the diagnostic menu of the Sonicwall SMA management interface.
This also means that two drawbacks are likely to be chained by threat actors to leak the currently logged administrator session token and execute any command. You can access the Exploit Chain Proof of Concept (POC).
“The wild exploitation of these vulnerabilities has unfortunately continued for some time, with attackers successfully exploiting appliances and accessing highly sensitive organizations,” Watchtowr CEO Benjamin Harris said in a statement.
“These are relatively trivial vulnerabilities. CVE-2024-38475 is a vulnerability in the open source Apache HTTP WebServer, a MOD_REWRITE module, and CVE-2023-444221 is a simple command injection flaw that will disappoint you to see with any ongoing solution.”
(The story was updated after publication to include details about the POC exploit.)
