SonicWall Acknowledges Exploitation of Critical Vulnerabilities in SMA100 Series Devices
SonicWall has confirmed that two significant vulnerabilities within its SMA100 Secure Mobile Access appliances have been actively exploited. These flaws, recently patched, pose serious risks to organizations utilizing these devices, particularly those in sensitive sectors.
The first vulnerability, identified as CVE-2023-44221, has a CVSS score of 7.2. It involves improper handling of elements in the SMA100 SSL-VPN management interface, enabling remote authenticated attackers with administrative privileges to execute arbitrary commands under a ‘nobody’ user account. This could result in an OS Command Injection vulnerability, allowing attackers to breach the system’s integrity.
The second flaw, CVE-2024-38475, carries a more critical CVSS score of 9.8. This vulnerability stems from inadequate output escaping in the mod_rewrite module of Apache HTTP Server versions 2.4.59 and earlier. It permits attackers to redirect URLs to permitted file system locations, creating a pathway for unauthorized access and potential exploitation of the system.
Both vulnerabilities impact a range of SMA 100 Series devices, including models such as SMA 200, 210, 400, 410, and 500v. SonicWall has released patches for these issues in specific versions: CVE-2023-44221 was addressed in 10.2.1.10-62sv and later, while CVE-2024-38475 was fixed in 10.2.1.14-75sv and subsequent versions.
As of April 29, 2025, SonicWall issued an advisory indicating that these vulnerabilities are likely being exploited in real-world scenarios, urging customers to thoroughly audit their SMA devices for any unauthorized login attempts. Analysis by SonicWall and its security partners has revealed an additional exploitation technique involving CVE-2024-38475, which facilitates access to sensitive files, thus increasing the risk of session hijacking.
This disclosure follows a recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which included another vulnerability affecting SonicWall products in its Known Exploited Vulnerabilities catalog, indicating heightened concerns over the security landscape surrounding these devices.
On May 1, 2025, CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating federal agencies to implement patches by May 22, 2025. In-depth analyses have emerged from cybersecurity firms like watchTowr Labs, which provided technical insights detailing how CVE-2024-38475 could be leveraged to gain unauthorized administrative control over vulnerable SonicWall appliances.
The CVE-2023-44221 vulnerability has been classified as a post-authentication command injection issue affecting the Diagnostics menu within the management interface, raising alarms about potential exploitation by threat actors who may be chaining the two vulnerabilities to compromise currently active administrator session tokens.
Given the nature of these vulnerabilities, a range of MITRE ATT&CK tactics might be applicable. Initial access is likely achieved through exploiting vulnerabilities (T1190), and adversaries could employ privilege escalation techniques (T1068) to gain administrative control. The potential for persistence (T1098) could arise as attackers maintain a foothold in compromised systems.
The security implications of these vulnerabilities are profound, given that they have been actively exploited against sensitive organizations. As stated by watchTowr’s CEO, these flaws are particularly concerning due to their simplicity and the potential ease with which attackers can exploit them. The cybersecurity community and affected organizations alike must remain vigilant in addressing these vulnerabilities to mitigate risks.
In conclusion, as SonicWall navigates these significant security challenges, business owners should prioritize reviewing their cybersecurity protocols and ensuring that their devices are updated and continually monitored to prevent unauthorized access.
