Analysis Summary

SonicWall has confirmed that two now-patched vulnerabilities affecting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild. These flaws pose serious security risks to organizations using SMA 100 Series devices, including SMA 200, 210, 400, 410, and 500v models.

The first vulnerability, CVE-2023-44221 with high severity, involves improper neutralization of special elements in the SSL-VPN management interface. It allows a remote, authenticated attacker with administrative privileges to inject arbitrary commands as a “nobody” user, leading to a potential OS command injection. This issue was addressed in version 10.2.1.10-62sv and later, with a fix released on December 4, 2023.

The second flaw, CVE-2024-38475 is a more critical issue involving improper output escaping in the mod_rewrite module of Apache HTTP Server versions 2.4.59 and earlier. It allows attackers to map URLs to sensitive file system locations that the server is permitted to serve, potentially exposing critical files. This vulnerability was patched in version 10.2.1.14-75sv, released on December 4, 2024.

In an updated advisory issued on April 29, 2025, SonicWall stated that both vulnerabilities are now actively being exploited and urged customers to verify their devices for signs of unauthorized logins. Notably, SonicWall and its security partners also identified an additional exploitation technique leveraging CVE-2024-38475 that may allow session hijacking through unauthorized access to specific files.

While SonicWall has not disclosed specific exploitation methods, attack targets, or the extent of the attacks, organizations using affected SMA appliances are strongly encouraged to apply the latest firmware updates and conduct thorough reviews of device logs for suspicious activity.

Impact

• Gain Access
• Code Execution

Indicators of Compromise

CVE

• CVE-2023-44221

• CVE-2024-38475

Remediation

• Update to firmware version 10.2.1.10-62sv or later to fix CVE-2023-44221.
• Update to firmware version 10.2.1.14-75sv or later to fix CVE-2024-38475.
• Review authentication and system logs on all SMA devices for signs of unauthorized access.
• Monitor VPN access logs for anomalies or unexpected session behavior.
• Look for indicators of session hijacking and invalidate active sessions if suspicious activity is detected.
• Restrict administrative access to trusted IP ranges only.
• Enable and enforce multi-factor authentication (MFA) for all administrative users.
• Avoid exposing the SMA management interface directly to the internet.
• Require VPN access for all administrative management of SMA appliances.
• Backup the current configuration after updates are applied.
• Audit device settings for any unexpected or unauthorized changes.
• Subscribe to SonicWall security notifications and regularly check for new advisories.