SonicWall has revealed that two now-patched security flaws impacting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild.
The vulnerabilities in question are listed below –
- CVE-2023-44221 (CVSS score: 7.2) – Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a ‘nobody’ user, potentially leading to OS Command Injection Vulnerability
- CVE-2024-38475 (CVSS score: 9.8) – Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server
Both the flaws affect SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v, and were addressed in the following versions –
- CVE-2023-44221 – 10.2.1.10-62sv and higher versions (Fixed on December 4, 2023)
- CVE-2024-38475 – 10.2.1.14-75sv and higher versions (Fixed on December 4, 2024)
In an update to the advisories on April 29, 2025, SonicWall said the vulnerabilities are potentially being exploited in the wild, urging customers to review their SMA devices to ensure that there are no unauthorized logins.
“During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking,” the company said.
There are currently no details on how the vulnerabilities are being exploited, who may have been targeted, and the scope and scale of these attacks.
The disclosures come weeks after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another security flaw impacting SonicWall SMA 100 Series gateways (CVE-2021-20035, CVSS score: 7.2) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
