Cybersecurity firm SonicWall has issued a warning to its customers, confirming that two previously patched vulnerabilities affecting its Secure Mobile Access (SMA) appliances are now being actively exploited in real-world attacks.
This development adds to a growing list of security concerns surrounding the company’s VPN products over the past year.
In updated security advisories released last week, SonicWall elevated the status of vulnerabilities CVE-2023-44221 and CVE-2024-38475, stating they are “potentially being exploited in the wild.”
Both flaws impact SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices.
The first flaw, CVE-2023-44221, is rated as high-severity. It involves a command injection vulnerability within the SMA100 series SSL-VPN management interface. According to SonicWall, improper handling of special characters could allow an attacker who already possesses administrative privileges to inject and execute commands on the system, albeit as a restricted ‘nobody’ user.
More concerning is CVE-2024-38475, a critical-severity vulnerability stemming from improper output escaping within the mod_rewrite module of Apache HTTP Server version 2.4.59 and earlier, which is used by the SMA appliances.
Successful exploitation of this flaw could permit an unauthenticated remote attacker to achieve code execution by manipulating URL mappings to file system locations. Further analysis by SonicWall and its partners revealed an alarming escalation: “unauthorized access to certain files could enable session hijacking,” potentially allowing attackers to take over legitimate user sessions.
SonicWall strongly advises customers using the affected SMA appliances to update their firmware immediately to version 10.2.1.14-75sv or later, which contains patches for both vulnerabilities.
“During further analysis, SonicWall and trusted security partners identified that ‘CVE-2023-44221 – Post Authentication OS Command Injection’ vulnerability is potentially being exploited in the wild,” the company stated.
“SonicWall PSIRT recommends that customers review their SMA devices to ensure no unauthorized logins.”
This latest warning highlights a troubling trend for SonicWall VPN users.
Just last month (April 2025), the company acknowledged that another vulnerability, CVE-2021-20035 – patched nearly four years ago – was being actively exploited in remote code execution attacks against SMA100 devices.
Cybersecurity firm Arctic Wolf reported observing exploitation of this older flaw dating back to at least January 2025, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate patching for U.S. federal agencies.
Earlier incidents this year further underscore the risks:
In January 2025, SonicWall urged administrators to patch a critical zero-day flaw under active attack in its SMA1000 secure access gateways.
You must be logged in to post a comment.