SonicWall SMA Flaws Under Active Attack: Patch Now, Warns CISA

By /
sonicwall

SonicWall has issued a serious warning to users of its Secure Mobile Access (SMA) 100 Series appliances. Two significant security flaws — one from 2023 and another from 2024 — are currently being exploited by attackers in the wild. The company urges all users to immediately patch their systems and check for unauthorized access.

What Are the Vulnerabilities?

The two flaws impact a range of SonicWall SMA 100 Series devices, including models SMA 200, 210, 400, 410, and 500v. These vulnerabilities are:

1. CVE-2023-44221 (CVSS Score: 7.2)

  • Type: OS Command Injection

  • Severity: High

  • Impact: This vulnerability exists due to improper handling of special elements in the SMA 100 SSL-VPN management interface. An authenticated attacker with admin privileges can inject commands into the system as a limited ‘nobody’ user.

  • Patched In: Version 10.2.1.10-62sv (Released December 4, 2023)

2. CVE-2024-38475 (CVSS Score: 9.8)

  • Type: Arbitrary File Access (Apache mod_rewrite flaw)

  • Severity: Critical

  • Impact: This issue arises from improper output escaping in the mod_rewrite module of Apache HTTP Server (version 2.4.59 and earlier). It can allow attackers to access files on the server, potentially leading to session hijacking or admin takeover.

  • Patched In: Version 10.2.1.14-75sv (Released December 4, 2024)

Confirmed Exploitation in the Wild

In an update on April 29, 2025, SonicWall confirmed that both CVE-2023-44221 and CVE-2024-38475 are now being exploited in the wild. The company advised customers to carefully inspect their devices for signs of unauthorized access or suspicious activity.

SonicWall, together with its trusted security partners, found that attackers are using CVE-2024-38475 to access files without authentication. In some cases, this access is used to hijack user sessions and bypass security protections, allowing attackers to operate as if they were administrators.

US Government Adds Flaws to KEV Catalog

On May 1, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This confirms active exploitation and mandates all federal agencies to apply patches by May 22, 2025.

CISA had previously added another SonicWall flaw (CVE-2021-20035) to its KEV list, showing a trend of attackers targeting SonicWall SMA gateways.

Details on How the Exploits Work

Cybersecurity firm watchTowr Labs published a detailed technical report explaining how the two vulnerabilities can be chained together. According to the research:

  • CVE-2024-38475 (Apache flaw) can be used to bypass authentication and read sensitive files, including session tokens.

  • CVE-2023-44221 (command injection) can then be used to execute arbitrary commands on the device using those stolen session credentials.

By combining both flaws, attackers can fully compromise vulnerable SonicWall appliances.

“These are relatively simple vulnerabilities to exploit, and it’s concerning to see them in enterprise-grade products,” said Benjamin Harris, CEO of watchTowr. “Unfortunately, attackers have been using these exploits successfully for some time to target sensitive organizations.”

cisco

Who Discovered These Vulnerabilities?

  • CVE-2023-44221 was discovered by Wenjie Zhong (aka H4lo) from DBappSecurity’s Webin Lab and reported through SonicWall’s official channels in 2023.

  • CVE-2024-38475 was initially disclosed by Orange Tsai, a well-known security researcher from Devcore, during Black Hat USA 2024. Although it’s an Apache vulnerability, its use in SonicWall products brings it into the spotlight again.

Why It Matters

These vulnerabilities are particularly dangerous because:

  • They are already being used in real-world attacks.

  • They target a popular remote access product used by enterprises and government agencies.

  • Patches have been available for months, but many systems remain unpatched.

What Should You Do?

If you’re using a SonicWall SMA 100 Series device, take the following steps immediately:

  1. Update Firmware: Ensure your device is running version 10.2.1.14-75sv or newer.

  2. Check for Unauthorized Access: Review logs and monitor for unusual admin logins.

  3. Disable Unused Features: Reduce the attack surface by disabling any unused services.

  4. Follow CISA Guidance: If you are a U.S. government agency or contractor, comply with the KEV deadline.

Conclusion

This incident highlights the critical importance of timely patching and security monitoring. While SonicWall has acted to address these flaws, ongoing exploitation shows that many organizations have not yet updated their systems.

As attackers become more sophisticated, even basic vulnerabilities like command injection or improper file access can be chained together to cause major security incidents.

Don’t wait until it’s too late — patch your systems now and stay vigilant.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Malicious WordPress Plugin Provides Remote Admin Access

Scroll to Top