Full Report
SonicWall has revealed that two now-patched security flaws impacting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-44221 (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to
Analysis Summary
# Vulnerability: SonicWall SMA100 Flaws Leading to Command Injection and Session Hijacking
## CVE Details
- CVE ID: CVE-2023-44221
- CVSS Score: 7.2 (High)
- CWE: Not specified (Related to OS Command Injection)
- CVE ID: CVE-2024-38475
- CVSS Score: 9.8 (Critical)
- CWE: Not specified (Related to Improper Output Escaping/Path Traversal)
## Affected Systems
- Products: SonicWall SMA100 Series Appliances (Secure Mobile Access)
- Versions: Explicit pre-patch versions not listed, but patched versions are provided below.
- Configurations: Applies to SMA100 devices running vulnerable firmware.
## Vulnerability Description
1. **CVE-2023-44221 (OS Command Injection):** Improper neutralization of special elements within the SMA100 SSL-VPN management interface allows a remote, *authenticated* attacker with administrative privileges to inject arbitrary OS commands, executing them as the `nobody` user.
2. **CVE-2024-38475 (Path Traversal/File Access):** Improper escaping of output in `mod_rewrite` in Apache HTTP Server (used by the appliance) allows an attacker to map URLs to arbitrary file system locations permitted by the server, potentially enabling file disclosure or other attacks. SonicWall noted an additional exploitation technique using this flaw could enable session hijacking via unauthorized file access.
## Exploitation
- Status: Confirmed **Exploited in the wild** (as of April 29, 2025 update).
- Complexity: Not explicitly detailed, but CVE-2024-38475's high CVSS score suggests exploitation may be relatively straightforward.
- Attack Vector: Implied to be network-based, targeting the management interface for command injection, and file access for session hijacking.
## Impact
- Confidentiality: High (Potential unauthorized file access and session hijacking via CVE-2024-38475).
- Integrity: High (Arbitrary command execution as `nobody` user via CVE-2023-44221).
- Availability: Not explicitly detailed, but RCE/injection attacks generally pose a risk to availability.
## Remediation
### Patches
- **For CVE-2023-44221:** Upgrade to version **10.2.1.10-62sv** or higher. (Fixed status date: December 4, 2023)
- **For CVE-2024-38475:** Upgrade to version **10.2.1.14-75sv** or higher. (Fixed status date: December 4, 2024)
### Workarounds
- SonicWall urged customers to review their SMA devices to ensure there are no unauthorized logins, indicating this as an immediate triage step. (No specific technical workarounds were detailed in this summary).
## Detection
- **Indicators of compromise:** Unauthorized logins being sighted on SMA devices.
- **Detection methods and tools:** Reviewing SMA logs for anomalous authentication attempts or suspicious activity indicative of unauthorized file access or command execution patterns.
## References
- Vendor advisory referencing CVE-2023-44221: psirt dot global dot sonicwall dot com/vuln-detail/SNWLID-2023-0018 (Defanged)
- Vendor advisory referencing CVE-2024-38475: psirt dot global dot sonicwall dot com/vuln-detail/SNWLID-2024-0018 (Defanged)
- Article URL: thehackernews dot com/2025/05/sonicwall-confirms-active-exploitation dot html (Defanged)