SonicWall disclosed that two resolved security vulnerabilities in its SMA100 Secure Mobile Access (SMA) appliances were exploited in the wild. SonicWall revised security advisories for the CVE-2023-44221 and CVE-2024-38475 vulnerabilities on April 29, 2025, stating that the two vulnerabilities are “potentially being exploited in the wild,” and users are advised to check their SMA devices to make sure no unauthorized logins have occurred.
What’s Notable and Unique
- CVE-2023-44221 is a high-severity command injection vulnerability that allows attackers with administrator credentials to insert arbitrary instructions as a “nobody” user. This is caused by the inappropriate neutralization of special components in the SMA100 SSL-VPN management interface.
- The second security vulnerability, CVE-2024-38475, is a critical severity flaw that affects Apache HTTP Server 2.4.59 and below. It is caused by improper output escaping in mod_rewrite. Successful exploitation can map URLs to file system locations that the server is allowed to serve, giving remote, unauthenticated attackers the ability to execute code.
- These two vulnerabilities are fixed in firmware version 10.2.1.14-75sv and later and affect SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices. Both vulnerabilities were added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on May 1, 2025, and government agencies are required to apply the patches by May 22, 2025.
- In a revised advisory, SonicWall stated, “During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking.”
Analyst Comments
Clients are advised to review SMA devices to ensure no unauthorized logins occurred, examine device settings, evaluate all configurations as possibly compromised, and execute the necessary recovery procedures. It is highly recommended that all enterprises assess their setups to reduce risk, as protecting publicly accessible management interfaces is a fundamental security best practice.
Sources
Related Resources
![]()
Ransomware Trends & Data Insights: April 2025
Arete’s April 2025 ransomware trends reveal key threat groups like Play, Qilin, and Akira, plus emerging actors like World Leaks and exploits in CrushFTP.
Read more![]()
Cybercriminals Spread Fog Ransomware Disguised as DOGE Emails
Cybercriminals use a phishing campaign to spread Fog ransomware, posing as the Department of Government Efficiency (DOGE) to trick users with malicious ZIP files.
Read more![]()
Active Exploitation of File Transfer Vulnerabilities
Two major vulnerabilities in CrushFTP and Triofox are under active attack, enabling data exfiltration and extortion. Learn how to patch CVE-2025-31161 and CVE-2025-30406 to protect your organization
Read more
