SonicWall has recently issued a warning about several vulnerabilities impacting its Secure Mobile Access (SMA) appliances. These vulnerabilities, identified as CVE-2023-44221 and CVE-2024-38475, are now being actively exploited in attacks. CVE-2023-44221 is a high-severity command injection vulnerability affecting the SMA100 SSL-VPN management interface, enabling attackers to inject arbitrary commands. Meanwhile, CVE-2024-38475 is a critical flaw in the Apache HTTP Server, which allows unauthenticated remote attackers to gain code execution on vulnerable devices.
The vulnerabilities impact SMA 200, 210, 400, 410, and 500v devices, with patches available in firmware version 10.2.1.14-75sv and later.
SonicWall also discovered that CVE-2024-38475 could be exploited for session hijacking by unauthorized access to certain files. The company further confirmed that CVE-2023-44221, a post-authentication OS command injection flaw, is potentially being exploited in active attacks, urging customers to review their SMA devices for unauthorized logins.
Earlier this month, SonicWall had flagged another vulnerability, CVE-2021-20035, which had been actively exploited in remote code execution attacks targeting SMA100 VPN appliances. Arctic Wolf, a cybersecurity firm, confirmed that the flaw had been exploited since January 2025, prompting CISA to add it to the Known Exploited Vulnerabilities catalog.
U.S. federal agencies have been ordered to secure their networks against these ongoing attacks, highlighting the growing concern surrounding SMA device security.
In addition to these vulnerabilities, SonicWall had previously warned of other critical flaws, including one affecting SMA1000 secure access gateways and an authentication bypass flaw in Gen 6 and Gen 7 firewalls. These flaws, which allow hackers to hijack VPN sessions, have led to active exploitation. SonicWall continues to advise customers to apply patches promptly and remain vigilant against potential attacks targeting these devices.
Reference:
