Full Report
Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks. [...]
Analysis Summary
# Vulnerability: SonicWall SMA100 Vulnerabilities Under Active Exploitation
## CVE Details
- CVE ID: CVE-2023-44221
- CVSS Score: *Score not explicitly provided in text, assumed High based on context*
- CWE: Post Authentication OS Command Injection
- CVE ID: CVE-2024-38475
- CVSS Score: *Score not explicitly provided in text*
- CWE: *CWE not explicitly provided in text*
- CVE ID: CVE-2021-20035
- CVSS Score: *Score not explicitly provided in text, but CISA flagged as actively exploited*
- CWE: *CWE not explicitly provided in text*
## Affected Systems
- Products: SonicWall SMA100 VPN appliances (and potentially SMA1000 secure access gateways for related issues mentioned)
- Versions: Specific vulnerable versions are not listed for CVE-2023-44221, CVE-2024-38475, or CVE-2021-20035 in this summary text.
- Configurations: Applies to SMA devices hosting the affected VPN functionality.
## Vulnerability Description
The article highlights multiple active threats against SonicWall SMA appliances:
1. **CVE-2023-44221 (Post Authentication OS Command Injection):** This vulnerability allows an attacker who has already authenticated to execute OS commands.
2. **CVE-2024-38475:** This vulnerability involves unauthorized access to certain files, which can lead to **session hijacking**.
3. **CVE-2021-20035:** This previously patched flaw is now being exploited for **Remote Code Execution (RCE)** attacks.
## Exploitation
- Status: **Actively exploited in the wild** for CVE-2023-44221 and CVE-2021-20035.
- Complexity: *Complexity ratings are not provided, but active exploitation in the wild suggests complexities ranging from Low to Medium.*
- Attack Vector: Primarily **Network** access to the VPN appliance (Remote exploitation).
## Impact
- Confidentiality: High potential due to RCE and unauthorized file access.
- Integrity: High potential due to OS command injection and potential system takeover.
- Availability: High potential through system compromise.
## Remediation
### Patches
Based on the context of exploitation and advisories:
- Patches for **CVE-2023-44221** should be applied (Refer to SNWLID-2023-0018 advisory).
- Patches for **CVE-2024-38475** should be applied (Refer to SNWLID-2024-0018 advisory).
- Patches for **CVE-2021-20035** (the RCE flaw) should be applied, noting this flaw was patched previously but is seeing renewed exploitation (Refer to SNWLID-2021-0022 advisory).
### Workarounds
- **Session Hijacking for CVE-2024-38475:** No specific technical workarounds are detailed in this excerpt, but immediate patching is implied as critical.
- **General Mitigation:** SonicWall PSIRT recommends that customers review their SMA devices to ensure no unauthorized logins are present, suggesting investigation for compromise.
## Detection
- **Indicators of Compromise (IOCs):** Look for evidence of unauthorized logins on SMA devices.
- **Detection Methods and Tools:** Customers should review logs for indicators related to successful authentication followed by unusual command execution or file access patterns related to the discussed CVEs. CISA has mandated action for US federal agencies regarding CVE-2021-20035.
## References
- Vendor Advisory (CVE-2023-44221): hXXps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018
- Vendor Advisory (CVE-2024-38475): hXXps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
- Vendor Advisory (CVE-2021-20035): hXXps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
- CISA KEV Catalog addition for CVE-2021-20035: hXXp://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog