SonicWall Confirms Active Exploitation of SMA 100 Vulnerabilities – Urges Immediate Patching

On April 29, 2025, SonicWall issued an urgent update to two previously disclosed vulnerabilities affecting its SMA 100 Series appliances, confirming that both flaws are now actively being exploited in the wild. The company strongly advises customers to update to the latest secure firmware versions to prevent potential compromise.

First identified in December 2023, CVE-2023-44221 has now been confirmed as under active exploitation. The vulnerability—assigned a CVSS score of 7.2—arises from “improper neutralization of special elements in the SMA100 SSL-VPN management interface,” according to SonicWall’s PSIRT advisory.

This flaw allows a remote attacker, authenticated with administrative privileges, to inject arbitrary operating system commands as the ‘nobody’ user. Successful exploitation can lead to full OS command execution, jeopardizing the confidentiality and integrity of affected systems.

“During further analysis, SonicWall and trusted security partners identified that CVE-2023-44221 is potentially being exploited in the wild,” the company confirmed. “SMA100 devices updated with the fixed firmware version 10.2.1.10-62sv or latest release version are not vulnerable to CVE-2023-44221 exploitation.”

Impacted Versions:

• SMA 100 Series (Models: 200, 210, 400, 410, 500v) running firmware 10.2.1.9-57sv and earlier

Fixed Version:

• Firmware 10.2.1.10-62sv and above

The second critical vulnerability, CVE-2024-38475 (CVSS 9.8), stems from a path traversal flaw linked to a publicly disclosed issue in Apache HTTP Server’s mod_rewrite module.

The vulnerability allows attackers to manipulate URLs in a way that bypasses intended directory restrictions, effectively mapping URLs to protected file system paths. SonicWall warns that this flaw can be weaponized to hijack user sessions under specific circumstances.

“SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking,” SonicWall said in the advisory. “SMA100 devices updated with firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique.”

Impacted Versions:

• SMA 100 Series (Models: 200, 210, 400, 410, 500v) running firmware 10.2.1.13-72sv and earlier

Fixed Version:

• Firmware 10.2.1.14-75sv and above

SonicWall urges all customers using SMA 100 series devices to:

• Immediately update to the latest firmware to mitigate these vulnerabilities.
• Audit administrative login activity to detect any unauthorized access attempts.
• Monitor system logs and traffic for signs of abnormal behavior.

Related Posts:

• Multiple Vulnerabilities in SonicWall SMA 100 Could Lead to Remote Code Execution
• Multiple Vulnerabilities Found in SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client
• CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
• SonicWall Issues Urgent Patch for Critical Firewall Vulnerability (CVE-2024-40766)
• Akira Ransomware Exploits SonicWall SSLVPN Flaw (CVE-2024-40766)