SonicWall Zero-Day Vulnerabilities Exploited in Active Attacks: What You Need to Know

By /

Listen to this Post

Featured Image
SonicWall has confirmed that two critical security vulnerabilities in its SMA100 Secure Mobile Access appliances are currently being exploited in the wild. These flaws—CVE-2023-44221 and CVE-2024-38475—affect a wide range of SMA100 series devices, including the SMA 200, 210, 400, 410, and 500v. This revelation adds to a growing list of network appliance vulnerabilities being targeted by threat actors looking to hijack sessions and execute unauthorized commands on enterprise networks.

According to the latest advisory updated on April 29, 2025, SonicWall and its trusted security partners have observed unauthorized access methods leveraging CVE-2024-38475, enabling attackers to hijack user sessions. Additionally, CVE-2023-44221, a post-authentication OS command injection vulnerability, is also being actively exploited, though details on the specific attack methods or responsible threat groups remain undisclosed.

SonicWall has addressed these vulnerabilities in firmware version 10.2.1.14-75sv, which patches both issues and eliminates the associated risk of session hijacking. Organizations using affected SMA100 devices are strongly urged to apply the update immediately, as threat actors continue to seek and exploit exposed devices that remain unpatched.

What’s Been Confirmed So Far (Summary – ~30 lines)

  • SonicWall’s SMA100 series, widely used for secure remote access, has been hit with two serious zero-day vulnerabilities.
  • CVE-2023-44221: A post-authentication OS command injection vulnerability. Exploitation allows attackers to run arbitrary commands on the system after gaining initial access.
  • CVE-2024-38475: A flaw that enables unauthorized file access, facilitating session hijacking and deeper penetration into the network.
  • SonicWall confirmed that both vulnerabilities have been actively exploited in the wild, signaling a clear and present danger.
  • Affected models include SMA 200, 210, 400, 410, and 500v, popular in both mid-sized businesses and enterprise environments.
  • The attack techniques have not been publicly detailed, likely to prevent copycat exploitation.
  • No attribution has been made so far; threat actor identities or affiliations remain unknown.
  • Security researchers suggest these zero-days may have been circulating in underground communities before public disclosure.
  • SonicWall worked with external security partners to detect and analyze the exploitation methods.

– Firmware version 10.2.1.14-75sv fully mitigates both vulnerabilities.

  • Devices that have not applied this update remain vulnerable to session hijacking and command injection attacks.
  • These vulnerabilities could be used to bypass multi-factor authentication, steal credentials, deploy malware, or escalate privileges.
  • CVE-2023-44221’s exploitation requires authentication, meaning the attacker needs to already be inside—or have credentials.
  • CVE-2024-38475, however, opens doors to attackers without prior authentication, greatly increasing its criticality.
  • Both flaws are now being tracked across the cybersecurity community as part of a broader trend of VPN and edge appliance attacks.
  • Organizations that fail to patch may unknowingly become part of botnets or suffer data exfiltration campaigns.
  • SonicWall devices, often used in critical infrastructure and defense, represent high-value targets.
  • There is currently no known workaround for unpatched devices—firmware update is the only mitigation.
  • The lack of technical details from SonicWall frustrates some researchers, though it may slow attacker adaptation.
  • Threat intelligence feeds and honeypots are already detecting increased scanning activity for vulnerable SMA devices.
  • Given recent trends, exploitation is likely automated via mass scans and bot deployment tools.
  • Security professionals warn of future exploitation chaining these vulnerabilities with others to form complex attack paths.
  • Enterprises are advised to monitor access logs, review privilege escalation attempts, and implement behavioral anomaly detection.
  • These incidents highlight the importance of continuous patch management and layered defense strategies.
  • Organizations using older firmware versions must consider themselves compromised until proven otherwise.
  • CISA has not yet released an emergency directive, but monitoring is advised.
  • The vulnerabilities are expected to be included in attacker playbooks throughout 2025.

What Undercode Say:

SonicWall’s latest disclosure adds urgency to a cybersecurity trend that’s been building for years—threat actors are increasingly targeting network edge devices, exploiting them as entry points into protected systems. The vulnerabilities disclosed, particularly CVE-2024-38475, pose a high risk due to the potential for unauthenticated session hijacking, something that’s highly attractive to ransomware operators and APT groups.

One key takeaway is the post-authentication nature of CVE-2023-44221—this requires attackers to already have a foothold, possibly from credential theft or social engineering. It shows a shift from blind exploitation to more targeted, hybrid attacks. In contrast, CVE-2024-38475 poses a broader threat as it requires no initial authentication. From an attacker’s perspective, this drastically reduces the barriers to entry, making it perfect for mass exploitation.

The fact that SonicWall has not revealed full technical details suggests the flaws are critical and potentially easy to replicate if enough information is given. This ‘security through obscurity’ approach may buy defenders more time but frustrates the security research community that relies on shared knowledge for defense strategies.

From an industry-wide perspective, SonicWall isn’t alone. Fortinet, Cisco, and Palo Alto have all reported similar edge-device vulnerabilities in recent years. The real issue isn’t just the presence of bugs—it’s the lag in patching. With many organizations still relying on outdated firmware and legacy appliances, the attack surface remains dangerously wide.

These types of vulnerabilities are especially dangerous in hybrid work environments where VPNs and remote access tools are central to operations. A successful compromise of an SMA100 device gives attackers potential access to internal networks, user credentials, and administrative interfaces.

Security researchers have already observed heightened scanning behavior across the internet targeting SonicWall endpoints. It’s reasonable to assume botnets are being updated to exploit these CVEs automatically. Some attackers may also be leveraging zero-day marketplaces to refine exploit kits around these specific flaws.

Forensics experts recommend that organizations using SMA100 devices perform a retrospective analysis of logs dating back 60 days or more to detect potential signs of exploitation. This includes unusual session persistence, unauthorized config changes, or CLI-level access spikes.

In terms of risk prioritization, these CVEs are critical. If a device is exposed to the public internet, it must be either patched or segmented immediately. Relying on firewalls alone is insufficient, especially if session hijacking has already occurred.

What we’re seeing is a real-world example of how edge devices are becoming the weakest link in enterprise cybersecurity, often overlooked in patching cycles or misconfigured during deployment.

Fact Checker Results:

  • CVE-2023-44221 and CVE-2024-38475 are listed in NIST’s National Vulnerability Database.
  • Firmware version 10.2.1.14-75sv does address the vulnerabilities as per SonicWall’s advisory.
  • Active exploitation has been independently confirmed by multiple security researchers.

Prediction

Based on the current trajectory, exploitation of these vulnerabilities will increase over the next three to six months, especially as proof-of-concept (PoC) exploits are inevitably released. SonicWall SMA devices are likely to be included in major botnet campaigns and may become favored targets for ransomware groups seeking persistent access points into corporate environments. Expect coordinated threat actor campaigns leveraging these flaws by mid-2025, especially in sectors with poor patch hygiene like healthcare, education, and municipal IT systems.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: