The US Cybersecurity and Infrastructure Security Agency (CISA) has officially added two critical vulnerabilities affecting SonicWall Secure Mobile Access (SMA) 100 series devices to its Known Exploited Vulnerabilities (KEV) catalog. The flaws, tracked as CVE-2023-44221 and CVE-2024-38475, enable remote code execution (RCE) and arbitrary file reads, respectively. Active exploitation has been confirmed by both CISA and SonicWall, with patches available for affected systems.
Executive Summary for Security Leaders
The vulnerabilities pose significant risks to organizations using SonicWall SMA 100 SSL-VPN appliances. CVE-2023-44221 allows authenticated attackers to execute commands via the management interface, while CVE-2024-38475 permits pre-authentication file reads that can leak session tokens. Combined, these flaws enable full system compromise. CISA mandates federal agencies to patch by May 15, 2025, under Binding Operational Directive (BOD) 22-01.
- CVE-2023-44221: Post-auth RCE (CVSS 7.2) via command injection in the username parameter
- CVE-2024-38475: Pre-auth file read (CVSS 9.8) via Apache mod_rewrite misconfiguration
- Affected Versions: SMA 100 firmware prior to v10.2.1.10-62sv (CVE-2023-44221) and v10.2.1.14-75sv (CVE-2024-38475)
Technical Analysis of Exploited Vulnerabilities
CVE-2023-44221 was disclosed in December 2023 by researcher Wenjie Zhong of DBappSecurity. The vulnerability stems from improper input sanitization in the SMA 100 management interface. Attackers can inject commands through the username field during authentication, as demonstrated in this Proof of Concept (PoC):
curl -X POST "https://[TARGET]/api/login" --data "username=;id;&password=test"This executes the id command with the privileges of the nobody user, providing a foothold for lateral movement. SonicWall patched this in firmware version 10.2.1.10-62sv.
CVE-2024-38475, an Apache mod_rewrite flaw, allows unauthenticated attackers to read sensitive files like /var/log/httpd/access_log via directory traversal. This can expose admin session tokens, which attackers combine with CVE-2023-44221 for RCE. The vulnerability affects SMA 100 devices running firmware versions before 10.2.1.14-75sv.
Exploitation in the Wild
WatchTowr Labs observed ransomware groups chaining these vulnerabilities in April 2025 campaigns. The attack pattern typically involves:
- Exploiting CVE-2024-38475 to steal admin tokens
- Using stolen credentials to trigger CVE-2023-44221
- Deploying Cobalt Strike beacons for post-exploitation
CISA confirmed these exploits in an alert published May 1, 2025, noting similarities to previous SonicWall VPN attacks leveraging CVE-2021-20035.
Mitigation and Detection
SonicWall recommends immediate patching to the latest firmware versions. For organizations unable to patch immediately:
| Action | Implementation |
|---|---|
| Network Controls | Restrict SMA 100 admin interface access to trusted IPs |
| Log Monitoring | Alert on access_log read attempts and unusual POST requests to /api/login |
| Compromise Checks | Use CISA’s Malware Analysis Tools to scan for indicators |
Historical Context
SonicWall appliances have been frequent targets since 2021, when CVE-2021-20016 (CVSS 9.4) was exploited by ransomware groups. The 2023 CVE-2023-0656 (CVSS 7.5) credential theft campaign used similar techniques to current exploits.
Conclusion
These vulnerabilities represent a critical threat to organizations using SonicWall SMA 100 devices. The combination of pre-auth file reads and post-auth RCE creates a potent attack chain that requires immediate remediation. Security teams should prioritize patching and monitor for the specific exploit patterns documented in this article.
References
- “SonicBoom: From Stolen Tokens to Remote Shells”, WatchTowr Labs, 2025.
- “SonicWall Confirms Active Exploitation of Critical SMA 100 Flaws”, The Hacker News, May 2025.
- CISA Alert (AA25-125A), May 1, 2025.
- SonicWall Security Bulletin SNWLID-2025-001, April 2025.
