CISA Confirms Exploitation of SonicWall Vulnerabilities

Posted on by Admin
CISA Confirms Exploitation of SonicWall Vulnerabilities

Related Post


Edge security provider SonicWall faces a new wave of vulnerabilities affecting its products, which are being exploited in the wild.

On May 1, the US Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, CVE-2023-44221 and CVE-2024-38475.

CVE-2023-44221: SonicWall’s 2023 Post-Authentication Command Injection

CVE-2023-44221 is a post-authentication command injection vulnerability caused by improper neutralization of special elements in SonicWall’s Secure Mobile Access (SMA), specifically the SMA 100 SSL-VPN management interface.

When exploited, this high-severity flaw (CVSS 3.1 base score of 7.2) allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a ‘nobody’ user. It affects SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v.

It was detected by a security researcher, Wenjie Zhong (also known as H4lo) from DBappSecurity Co., Ltd’s Webin lab, and was disclosed by SonicWall, a CVE Numbering Authority (CNA), in December 2023.

The SonicWall also released a fix in SMA 100 series version 10.2.1.10-62sv and higher and shared it in a security advisory also published in December 2023.

In an advisory update on April 29, 2025, SonicWall confirmed CVE-2023-44221 is “potentially being exploited in the wild.”

This exploitation has now been confirmed by CISA.

CVE-2024-38475: Apache HTTP Server’s 2024 Pre-Authentication Arbitrary File Read

CVE-2024-38475 is a pre-authentication arbitrary file read affecting Apache HTTP Server.

It was first disclosed by Orange Tsai, the Principal Security Researcher at Devcore, at Black Hat USA 2024 as one of nine different vulnerabilities in the Apache HTTP Server.

CVE-2024-38475 is a critical flaw (CVSS 3.1 base score of 9.8) caused by improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier. When exploited, it allows an attacker to map URLs to file system locations that are permitted to be served by the server.

Despite officially appearing as an Apache vulnerability, CVE-2024-38475 also affects SonicWall’s SMA 100 Series (SMA 200, 210, 400, 410 and 500v) for version 10.2.1.13-72sv and earlier, explained WatchTowr Labs in a new report about the two vulnerabilities, published on May 2, 2025.

“Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a separate CVE will not be assigned for SonicWall’s usage of the vulnerable version,” the WatchTowr report reads. “This makes the situation confusing for those responding to CISA’s KEV listing – CISA is referring to the two vulnerabilities in combination being used to attack SonicWall devices.”

CVE-2024-38475 was disclosed by the Apache Software Foundation, another CNA, in July 2024.

In December 2024, SonicWall released a security advisory addressing six vulnerabilities affecting its SMA 100 series, including CVE-2024-38475.

The advisory includes a fix in SMA 100 series 10.2.1.14-75sv and higher.

SonicWall updated the advisory on April 29, 2025, to warn users that CVE-2024-38475 and the five related flaws could be exploited in the wild.

WatchTowr shared a proof-of-concept (poC) chaining exploit for CVE-2023-44221 and CVE-2024-38475 in its report.

Photo credits: Michael Vi/Tada Images/Shutterstock

Read now: Palo Alto Networks and SonicWall Firewalls Under Attack





Source link

Leave a Comment