SonicWall has revealed that two now-patched safety flaws impacting its SMA100 Safe Cell Entry (SMA) home equipment have been exploited within the wild.
The vulnerabilities in query are listed under –
- CVE-2023-44221 (CVSS rating: 7.2) – Improper neutralization of particular parts within the SMA100 SSL-VPN administration interface permits a distant authenticated attacker with administrative privilege to inject arbitrary instructions as a ‘no person’ consumer, doubtlessly resulting in OS Command Injection Vulnerability
- CVE-2024-38475 (CVSS rating: 9.8) – Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier permits an attacker to map URLs to file system areas which are permitted to be served by the server
Each the failings have an effect on SMA 100 Collection units, together with SMA 200, 210, 400, 410, 500v, and had been addressed within the following variations –
- CVE-2023-44221 – 10.2.1.10-62sv and better variations (Mounted on December 4, 2023)
- CVE-2024-38475 – 10.2.1.14-75sv and better variations (Mounted on December 4, 2024)
In an replace to the advisories on April 29, 2025, SonicWall mentioned the vulnerabilities are doubtlessly being exploited within the wild, urging clients to overview their SMA units to make sure that there aren’t any unauthorized logins.
“Throughout additional evaluation, SonicWall and trusted safety companions recognized an extra exploitation approach utilizing CVE-2024-38475, by way of which unauthorized entry to sure recordsdata might allow session hijacking,” the corporate mentioned.
There are at present no particulars on how the vulnerabilities are being exploited, who could have been focused, and the scope and scale of those assaults.
The disclosures come weeks after the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added one other safety flaw impacting SonicWall SMA 100 Collection gateways (CVE-2021-20035, CVSS rating: 7.2) to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
PoC Made Out there
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Might 1, 2025, added each the failings to its Recognized Exploited Vulnerabilities (KEV) catalog, mandating federal companies to use the patches by Might 22, 2025.
Cybersecurity firm watchTowr Labs has revealed extra technical particulars of the 2 vulnerabilities, noting how CVE-2024-38475, a flaw residing in Apache HTTP Server, can be utilized to bypass authentication and achieve administrative management over weak SonicWall SMA home equipment.
CVE-2023-44221, however, has been described as a post-authentication command injection vulnerability affecting the Diagnostics menu of the SonicWall SMA administration interface.
This additionally signifies that the 2 shortcomings are possible being chained by menace actors to leak a at present logged-in administrator session token and execute arbitrary instructions. A proof-of-concept (PoC) for the exploit chain could be accessed right here.
“In-the-wild exploitation of those vulnerabilities has sadly been ongoing for a while now, with attackers efficiently exploiting home equipment to realize entry to extraordinarily delicate organizations,” watchTowr CEO Benjamin Harris mentioned in a press release.
“These are comparatively trivial vulnerabilities. CVE-2024-38475 is a vulnerability within the open-source Apache HTTP webserver and it is a mod_rewrite module, whereas CVE-2023-44221 is a straightforward command injection flaw that’s disappointing to see in any enterprise-grade answer.”
(The story has been up to date after publication to incorporate particulars of the PoC exploit.)
