SonicWall Exploit Chain Exposes Admin Hijack Risk via CVE-2023-44221 and CVE-2024-38475
Ddos 
Image: watchTowr
A newly exploit chain targeting SonicWall’s Secure Mobile Access (SMA) appliances has been released. Published by watchTowr Labs, the technical disclosure outlines how two distinct vulnerabilities—CVE-2023-44221 and CVE-2024-38475—can be weaponized together to enable remote, unauthenticated attackers to hijack admin sessions and execute arbitrary code.
Described by SonicWall as a critical vulnerability, CVE-2024-38475 resides in Apache HTTP Server’s mod_rewrite module, affecting version 2.4.59 and earlier. Improper escaping of output allows attackers to map malicious URLs to sensitive file paths, effectively bypassing authentication on affected SMA appliances.
CVE-2024-38475, a vulnerability in Apache HTTP Server, can be exploited to bypass authentication and gain administrative control over vulnerable SonicWall SMA appliances. This alone would pose a substantial risk—but paired with CVE-2023-44221, the danger escalates.
Unlike the pre-auth bug, CVE-2023-44221 is a post-authentication command injection vulnerability affecting the Diagnostics menu of the SMA management interface. Exploiting improper neutralization of special elements, authenticated attackers can inject system commands under the context of the nobody user. It enables attackers with admin privileges to inject arbitrary commands.
This flaw becomes especially dangerous when an attacker leverages CVE-2024-38475 to hijack a session or elevate privileges without needing valid credentials.
By chaining the two flaws, a threat actor could first use CVE-2024-38475 to gain access to restricted admin pages, steal session tokens, and then deploy CVE-2023-44221 to execute arbitrary commands on the device. WatchTowr Labs even published a working proof-of-concept (PoC) exploit chain for the public, emphasizing the urgency of patching.
The vulnerabilities impact the following SonicWall SMA appliances:
- SMA 200
- SMA 210
- SMA 400
- SMA 410
- SMA 500v
SonicWall has issued firmware version 10.2.1.14-75sv and later as the fix. The company also confirmed an additional exploitation technique involving CVE-2024-38475, stating: “Unauthorized access to certain files could enable session hijacking.”
The Cybersecurity and Infrastructure Security Agency (CISA) added both flaws to its KEV catalog on May 1, 2025, mandating that federal agencies apply patches by May 22, 2025.
Related Posts:
- SonicWall Confirms Active Exploitation of SMA 100 Vulnerabilities – Urges Immediate Patching
- Multiple Vulnerabilities in SonicWall SMA 100 Could Lead to Remote Code Execution
- Multiple Vulnerabilities Found in SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client
- CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
- SonicWall Issues Urgent Patch for Critical Firewall Vulnerability (CVE-2024-40766)
Donate