Introduction
SonicWall has issued a critical warning about significant vulnerabilities in its Secure Mobile Access (SMA) appliances, specifically CVE-2023-44221 and CVE-2024-38475 [1] [4] [7]. These vulnerabilities are actively exploited and pose severe risks to organizations using SMA 100 Series devices, potentially leading to full system takeover and session hijacking [11].
Description
SonicWall has issued a warning regarding significant vulnerabilities in its Secure Mobile Access (SMA) appliances [4], specifically CVE-2023-44221 and CVE-2024-38475 [1] [4] [7]. Both vulnerabilities are actively exploited in the wild and pose serious risks to organizations using SMA 100 Series devices, including models 200, 210, 400, 410 [2] [5], and 500v [2] [3] [4] [5] [6] [7], with potential consequences such as full system takeover and session hijacking.
CVE-2023-44221 is a high-severity post-authentication command injection vulnerability found in the SSL-VPN management interface of SMA 100 series devices. Classified under CWE-78 (OS Command Injection) and assigned a CVSS 3.1 base score of 7.2, this flaw allows remote authenticated attackers with administrative privileges to execute arbitrary commands as the ‘nobody’ user on the underlying operating system [1] [5]. The vulnerability arises from improper neutralization of special elements [5], which can be exploited if an attacker gains access to a logged-in administrator session token. Discovered by Wenjie Zhong from DBappSecurity Co. [1] [8], Ltd and disclosed by SonicWall in December 2023 [1], a fix was released in SMA 100 series version 10.2.1.10-62sv and higher on December 4, 2023 [1]. As of April 29, 2025 [1] [2], SonicWall confirmed that this vulnerability is being actively exploited [1], a fact corroborated by the US Cybersecurity and Infrastructure Security Agency (CISA) [1], which has added it to its Known Exploited Vulnerabilities catalog [7]. Organizations are advised to verify their devices for unauthorized logins [5], review authentication and system logs for signs of unauthorized access [5], and promptly patch affected systems [6].
CVE-2024-38475 is a critical pre-authentication arbitrary file read vulnerability associated with the Apache HTTP Server’s modrewrite module (version 2.4.59 and earlier). With a CVSS 3.1 base score of 9.8 [1], this flaw allows unauthenticated remote attackers to bypass authentication and gain administrative control by mapping malicious URLs to sensitive file paths [9]. The vulnerability arises from improper escaping of output in the modrewrite module, which can lead to unauthorized file access, session hijacking [2] [4] [5] [11], or the disclosure of sensitive source code [3]. Exploitation of this vulnerability has enabled attackers to download the SQLite database containing session identifiers [10], allowing them to extract administrator session IDs and gain control over the devices [10]. This vulnerability affects the same SMA models as CVE-2023-44221 and was first disclosed by Orange Tsai at Black Hat USA 2024. SonicWall released a security advisory in December 2024 addressing this vulnerability [1], along with five others [1], and provided a fix in SMA 100 series version 10.2.1.14-75sv and higher on December 4, 2024 [1]. An update on April 29, 2025 [1], warned that CVE-2024-38475 and related vulnerabilities could also be exploited in the wild [1]. A proof-of-concept exploit chain for both CVEs has been published, demonstrating how they can be chained together [10], highlighting the urgency for patching [9].
To mitigate these vulnerabilities [2] [5] [8] [9], organizations should prioritize updating to firmware version 10.2.1.10-62sv or later for CVE-2023-44221 and to version 10.2.1.14-75sv or later for CVE-2024-38475 [5]. It is recommended to monitor VPN access logs for anomalies, restrict administrative access to trusted IP ranges [5], enable multi-factor authentication for administrative users [5], and avoid exposing the SMA management interface directly to the internet [5]. Additionally, organizations should back up the current configuration after updates and audit device settings for unauthorized changes [5]. Under Binding Operational Directive 22-01 [6] [7], federal agencies are required to remediate identified vulnerabilities by May 22, 2025 [6] [7], underscoring the critical need for timely updates to prevent potential compromises. VPN devices remain high-value targets due to their access to internal networks and sensitive data [2], and while SonicWall has provided guidance [2], the absence of concrete indicators of compromise limits detection efforts for security teams [2]. A tool called Detection Artefact Generator has also been developed to assist organizations in assessing risk and implementing necessary security measures [11].
Conclusion
The vulnerabilities CVE-2023-44221 and CVE-2024-38475 in SonicWall’s SMA appliances present significant security risks, necessitating immediate attention and action from affected organizations. By implementing recommended mitigations, such as updating firmware, monitoring access logs, and enabling multi-factor authentication [5] [6], organizations can protect themselves from potential exploitation. The ongoing threat landscape underscores the importance of timely updates and proactive security measures to safeguard sensitive data and maintain system integrity.
References
[1] https://www.infosecurity-magazine.com/news/cisa-exploitation-sonicwall/
[2] https://undercodenews.com/two-actively-exploited-vulnerabilities-found-in-sonicwall-sma100-devices-what-you-need-to-know/
[3] https://thecyberexpress.com/cisa-adds-cve-2024-38475-and-cve-2023-44221/
[4] https://cybermaterial.com/sonicwall-warns-of-exploited-vulnerabilities/
[5] https://rewterz.com/threat-advisory/sonicwall-flags-active-exploitation-of-critical-security-flaws
[6] https://redoracle.com/News/SonicWall-SMA100-Vulnerability-Alert.html
[7] https://cybersecuritynews.com/sonicwall-sma100-os-command-injection/
[8] https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/
[9] https://securityonline.info/sonicwall-exploit-chain-exposes-admin-hijack-risk-via-cve-2023-44221-and-cve-2024-38475/
[10] https://www.helpnetsecurity.com/2025/05/02/sonicwall-cve-2024-38475-cve-2023-44221-exploited/
[11] https://hackread.com/watchtowr-exploits-target-sonicwall-sma-100-devices/
