164/68 Friday, May 2, 2025
SonicWall has disclosed that two security vulnerabilities affecting its Secure Mobile Access (SMA100) devices continue to be actively exploited in the wild, despite patches having been released. The details of the vulnerabilities are as follows:
- CVE-2023-44221 (CVSS 7.2): An OS command injection vulnerability caused by improper data neutralization in the management interface of SMA100 SSL-VPN. This flaw allows an attacker with admin privileges to inject malicious commands that execute with the privileges of the “nobody” user.
- CVE-2024-38475 (CVSS 9.8): A vulnerability in the Apache HTTP Server (mod_rewrite) that allows attackers to map URLs to sensitive file locations on the system. This could lead to session hijacking and unauthorized access to resources.
These vulnerabilities affect the SMA 100 Series, including the SMA 200, 210, 400, 410, and 500v. SonicWall has released fixes in the following firmware versions:
- CVE-2023-44221: Fixed in version 10.2.1.10-62sv and later (released on December 4, 2023)
- CVE-2024-38475: Fixed in version 10.2.1.14-75sv and later (released on December 4, 2024)
In the latest update on April 29, 2025, SonicWall reported that its security analysts have observed new exploitation techniques for CVE-2024-38475. These techniques could allow unauthorized users to access specific files and hijack active sessions. Although there is currently no definitive information on the specific targets or scope of the attacks, the disclosure follows closely after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the older CVE-2021-20035 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after observing real-world exploitation.
SonicWall recommends that administrators immediately inspect SMA devices for abnormal login activity and ensure all systems are updated to the latest patched versions to mitigate the risk of exploitation.
Source https://thehackernews.com/2025/05/sonicwall-confirms-active-exploitation.html
