Two SonicWall SMA100 flaws actively exploited in the wild

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.

SonicWall revealed that attackers actively exploited two security vulnerabilities, tracked as CVE-2023-44221 and CVE-2024-38475, in its SMA100 Secure Mobile Access appliances.

Below are the descriptions of the two flaws:

  • CVE-2023-44221 (CVSS score: 7.2) – Improper neutralization of special elements in the SMA100 SSL-VPN management interface. A remote authenticated attacker with administrative privilege can exploit the flaw to inject arbitrary commands as a ‘nobody’ user, potentially leading to OS Command Injection Vulnerability.
  • CVE-2024-38475 (CVSS score: 9.8) – Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier. An attacker can exploit the flaw to map URLs to file system locations that are permitted to be served by the server

“During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described.” reads the advisory updated on April 29, 2025,. “During further analysis, SonicWall and trusted security partners identified that ‘CVE-2023-44221 – Post Authentication OS Command Injection’ vulnerability is potentially being exploited in the wild.”

Both flaws impact SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v. The company addressed the flaws with the following releases:

  • CVE-2023-44221 – 10.2.1.10-62sv and higher versions (Fixed on December 4, 2023)
  • CVE-2024-38475 – 10.2.1.14-75sv and higher versions (Fixed on December 4, 2024)

The company has not provided technical details about the attacks exploiting the vulnerabilities, nor has it attributed them to any specific threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 1 year ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 1 year ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 1 year ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 1 year ago

LATEST POSTS
Pro-Russia hacktivist group NoName057(16) is targeting Dutch organizations with
Article thumbnail image
The FBI shared 42K phishing domains tied to LabHost, a PhaaS platform shut down
Article thumbnail image
Canadian electric utility Nova Scotia Power and parent company Emera are facing
Article thumbnail image
SonicWall confirmed that threat actors actively exploited two vulnerabilities i