Two Actively Exploited Vulnerabilities Found in SonicWall SMA100 Devices: What You Need to Know

By /

Listen to this Post

Featured Image
SonicWall has confirmed that two critical security flaws in its Secure Mobile Access (SMA) 100 Series appliances have been exploited in the wild. These vulnerabilities, tracked as CVE-2023-44221 and CVE-2024-38475, affect a wide range of devices used in enterprise VPN deployments and secure remote access infrastructure. Although patches were issued, the confirmation of real-world exploitation raises urgent concerns about organizations that may have delayed their updates.

The SMA100 series is widely used by enterprises to manage remote access for employees and third-party vendors. The discovery of these security flaws, especially with one carrying a near-maximum CVSS score, poses significant risks of command injection and session hijacking. Let’s break down what these vulnerabilities are, how they’re being abused, and what enterprises must do now to defend their networks.

the Incidents ()

Two security vulnerabilities in SonicWall’s SMA100 devices have been confirmed as actively exploited in real-world scenarios.

  • CVE-2023-44221 (CVSS 7.2) is a command injection flaw triggered via improper handling of special elements within the SSL-VPN management interface.
  • The flaw allows remote, authenticated attackers with admin privileges to execute arbitrary commands as the ‘nobody’ user.

  • CVE-2024-38475 (CVSS 9.8) involves improper output escaping in Apache’s mod_rewrite component, enabling attackers to map URLs to file system locations—ultimately risking unauthorized file access and session hijacking.

  • Both vulnerabilities affect SMA 100 Series devices including models 200, 210, 400, 410, and 500v.

– Fixes were released as follows:

  • CVE-2023-44221 was patched in version 10.2.1.10-62sv and above (released December 4, 2023).

  • CVE-2024-38475 was patched in version 10.2.1.14-75sv and above (released December 4, 2024).

  • As of April 29, 2025, SonicWall has updated advisories confirming active exploitation of these vulnerabilities and warned users to investigate their devices for any signs of unauthorized access.

  • No public technical details, proof-of-concept exploits, or indicators of compromise have been disclosed yet.

  • The use of CVE-2024-38475 for session hijacking was flagged by SonicWall and its security partners after further exploitation analysis.

  • The attack vectors appear to be post-authentication in nature, meaning attackers must already possess valid credentials or session tokens in some scenarios.

  • These disclosures follow CISA’s recent addition of CVE-2021-20035 (another SMA100 vulnerability) to its Known Exploited Vulnerabilities catalog—signaling an uptick in SonicWall-targeted exploitation.

  • Companies still using older firmware versions remain at critical risk.

  • The timeline between discovery, patching, and disclosure highlights how attackers are getting faster at reverse-engineering patches and launching attacks before organizations can respond.

  • The vulnerabilities add to a growing list of high-profile issues affecting SSL-VPN gateways across multiple vendors.

  • VPN devices remain top-tier targets due to their direct line to internal networks and sensitive session data.

  • While SonicWall has issued guidance, the lack of concrete IOCs or exploit details limits detection capabilities for many security teams.

What Undercode Say: (40 Lines of Analysis)

The SonicWall SMA100 vulnerabilities continue a disturbing trend that has plagued enterprise VPN infrastructure for the past several years. At Undercode, we’ve consistently monitored the exploitation of perimeter devices because they serve as ideal initial access points for advanced threat actors and ransomware groups.

Let’s break down the key issues:

  1. Post-authenticated RCE flaws like CVE-2023-44221 are dangerous not because they’re externally exploitable by default, but because they become devastating when attackers have credentials—whether via phishing, credential stuffing, or leaked secrets.

  2. CVE-2024-38475’s integration with Apache mod_rewrite introduces a wide attack surface that’s familiar to many threat actors. The flaw doesn’t require creative new exploits—just precise URL mapping and misconfigurations. It’s highly reproducible once the patch is reverse-engineered.

  3. The timeline matters. Both vulnerabilities were patched months ago, but exploitation is only now being confirmed. That’s a signal that threat actors are either developing exploits later or were lying low and now surfacing.

  4. There’s an obvious gap in disclosure—no exploit chains, no indicators, no targets. That limits detection, and in many enterprises, patching gets delayed unless there’s proof of compromise. SonicWall’s advisories remain vague, perhaps to minimize panic or because they lack full telemetry.

  5. CISA’s involvement adds weight. When vulnerabilities make it into the KEV catalog, it reflects real-world impact and an elevated threat level. Combined with this latest disclosure, it’s clear that SonicWall appliances are firmly in the crosshairs of state-sponsored groups or financially motivated attackers.

  6. VPN appliances are often blind spots in enterprise monitoring. They’re typically outside standard EDR/XDR coverage and not easily patched without downtime. That creates an exploitable window of vulnerability far longer than internal systems.

  7. Attackers are getting smarter. We’re seeing exploitation that bypasses traditional logging and monitoring, especially when flaws allow for session hijacking or privilege escalation.

  8. Session hijacking via file mapping is a serious red flag. If attackers can access session tokens or cached credentials, they can bypass MFA and replay sessions—giving them privileged access without triggering alerts.

  9. Organizations must shift focus to firmware management. Application patching alone isn’t enough. Firmware updates should be treated with equal urgency and integrated into continuous vulnerability management workflows.

  10. The role of security partners is growing. SonicWall didn’t discover the new exploitation techniques on its own—trusted third parties contributed. That points to a larger need for coordinated threat intelligence sharing and not relying solely on vendor advisories.

  11. Looking forward, we expect more disclosures tied to SMA devices and possibly chaining of vulnerabilities. For example, CVE-2021-20035 could be used in tandem with these new flaws for multi-stage intrusions.

  12. Undercode’s recommendation: audit all remote access systems, verify firmware versions, and implement full-traffic packet inspection around your VPN appliances. Monitor for anomalous logins and token reuse.

  13. Harden access control. Limit administrative access to SMA devices using IP whitelisting or network segmentation, and rotate VPN credentials regularly.

14. This

Fact Checker Results

  • Confirmed: CVE-2023-44221 and CVE-2024-38475 are listed in the NVD and have public CVSS scores.
  • Verified: SonicWall issued patch updates and advisories on both vulnerabilities, including version details.
  • In the Wild: Exploitation has been confirmed by SonicWall as of April 29, 2025.

Prediction

Given the current pattern and attacker interest in VPN infrastructure, SonicWall’s SMA100 appliances are likely to be part of a broader campaign targeting remote access systems across multiple vendors. We expect:
– Further chaining of old and new CVEs in multi-step attack chains.
– Exploit kits to emerge publicly within months, if not weeks.
– At least one ransomware campaign leveraging session hijacking on patched-but-unmonitored SMA devices by Q3 2025.

This is a wake-up call not just for SonicWall users but for all enterprises relying on secure remote access.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: