Do Son 
SonicWall has once again found itself in the spotlight following the discovery and confirmed active exploitation of multiple vulnerabilities in its Secure Mobile Access (SMA) series devices. The company reported that threat actors are already leveraging these security flaws to infiltrate systems and execute remote code. The vulnerabilities in question — CVE-2023-44221 and CVE-2024-38475 — each pose a significant threat to corporate network infrastructures.
The first vulnerability, CVE-2023-44221, stems from improper handling of special characters within the management interface of the SMA100 SSL-VPN. If an attacker possesses administrative privileges, they may execute arbitrary commands as a restricted system user. Although the attack requires prior authentication, SonicWall has warned that real-world exploitation has already been observed.
The second flaw, CVE-2024-38475, has been rated critical due to flawed escaping within the Apache HTTP server’s mod_rewrite module. This could allow unauthenticated code execution if a malicious actor can align a crafted URL with authorized file paths. Even more alarming, SonicWall specialists and their partners identified an additional attack vector involving unauthorized file access, which could enable session hijacking.
Both vulnerabilities affect devices including the SMA 200, 210, 400, 410, and the virtual SMA 500v gateway. The issues have been addressed in firmware version 10.2.1.14-75sv and later. Administrators are strongly urged to inspect authentication logs and verify the absence of compromise indicators.
Just a week earlier, SonicWall had issued a separate alert regarding CVE-2021-20035, a vulnerability originally patched in 2021. However, reports have surfaced indicating it continues to be actively exploited against SMA100 appliances — with documented attacks dating back to at least January of this year. This information was first confirmed by Arctic Wolf and subsequently validated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added the vulnerability to its Known Exploited Vulnerabilities catalog and mandated enhanced protections across federal systems.
In January, SonicWall had already confronted a similar scenario, when a critical zero-day vulnerability in SMA1000 gateways was exploited in the wild. This was soon followed by reports of authentication bypass exploits targeting Gen 6 and Gen 7 firewalls, enabling attackers to seize VPN sessions. The current wave of incidents underscores the paramount importance of timely firmware updates and vigilant monitoring for unauthorized access attempts.
