SonicWall has revealed that two now-patched security flaws impacting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild.
The vulnerabilities in question are listed below -
- CVE-2023-44221 (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability
- CVE-2024-38475 (CVSS score: 9.8) - Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server
Both the flaws affect SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v, and were addressed in the following versions -
- CVE-2023-44221 - 10.2.1.10-62sv and higher versions (Fixed on December 4, 2023)
- CVE-2024-38475 - 10.2.1.14-75sv and higher versions (Fixed on December 4, 2024)
In an update to the advisories on April 29, 2025, SonicWall said the vulnerabilities are potentially being exploited in the wild, urging customers to review their SMA devices to ensure that there are no unauthorized logins.
"During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking," the company said.
There are currently no details on how the vulnerabilities are being exploited, who may have been targeted, and the scope and scale of these attacks.
The disclosures come weeks after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another security flaw impacting SonicWall SMA 100 Series gateways (CVE-2021-20035, CVSS score: 7.2) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
PoC Made Available
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on May 1, 2025, added both the flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the patches by May 22, 2025.
Cybersecurity company watchTowr Labs has published additional technical details of the two vulnerabilities, noting how CVE-2024-38475, a flaw residing in Apache HTTP Server, can be used to bypass authentication and gain administrative control over vulnerable SonicWall SMA appliances.
CVE-2023-44221, on the other hand, has been described as a post-authentication command injection vulnerability affecting the Diagnostics menu of the SonicWall SMA management interface.
This also means that the two shortcomings are likely being chained by threat actors to leak a currently logged-in administrator session token and execute arbitrary commands. A proof-of-concept (PoC) for the exploit chain, codenamed SonicBoom, can be accessed here.
"In-the-wild exploitation of these vulnerabilities has unfortunately been ongoing for some time now, with attackers successfully exploiting appliances to gain access to extremely sensitive organizations," watchTowr CEO Benjamin Harris said in a statement.
"These are relatively trivial vulnerabilities. CVE-2024-38475 is a vulnerability in the open-source Apache HTTP webserver and it's a mod_rewrite module, while CVE-2023-44221 is a simple command injection flaw that is disappointing to see in any enterprise-grade solution."
(The story has been updated after publication to include details of the PoC exploit.)
