SMA100 VPN vulnerabilities now exploited in attacks

​Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.

On Tuesday, SonicWall updated security advisories for the CVE-2023-44221 and CVE-2024-38475 security flaws to tag the two vulnerabilities as “potentially being exploited in the wild.”

CVE-2023-44221 is described as a high-severity command injection vulnerability caused by improper neutralization of special elements in the SMA100 SSL-VPN management interface that enables attackers with admin privileges to inject arbitrary commands as a ‘nobody’ user.

The second security bug, CVE-2024-38475, is rated as a critical severity flaw caused by improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier. Successful exploitation can allow unauthenticated, remote attackers to gain code execution by mapping URLs to file system locations permitted to be served by the server.

The two vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.14-75sv and later.

“During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking,” SonicWall warned in an updated advisory.

“During further analysis, SonicWall and trusted security partners identified that ‘CVE-2023-44221 – Post Authentication OS Command Injection’ vulnerability is potentially being exploited in the wild,” it added. “SonicWall PSIRT recommends that customers review their SMA devices to ensure no unauthorized logins.”

Earlier this month, the company flagged another high-severity flaw patched almost four years ago and tracked as CVE-2021-20035 as actively exploited in remote code execution attacks targeting SMA100 VPN appliances. One day later, cybersecurity company Arctic Wolf said CVE-2021-20035 had been under active exploitation since at least January 2025.

CISA also added the security bug to its Known Exploited Vulnerabilities catalog, ordering U.S. federal agencies to secure their networks against ongoing attacks.

In January, SonicWall urged admins to patch a critical flaw in SMA1000 secure access gateways that was being exploited in zero-day attacks, and one month later warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that lets hackers hijack VPN sessions.