watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices – Source:hackread.com

watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover and session hijacking. Learn about affected models, available patches, and CISA’s urgent warning.

Cybersecurity researchers at watchTowr have spotted malicious threat actors actively leveraging known security vulnerabilities in SonicWall’s widely used SMA 100 (Secure Mobile Access) appliances.

This discovery, documented in their latest blog post shared with Hackread.com, reveals how attackers are combining two specific vulnerabilities to potentially gain complete administrative control over these devices.

Evidence suggests these techniques are already being employed in real-world attacks, making immediate awareness and action critical for affected businesses. The investigation started after clients reported unusual activity on the SonicWall system, leading to the discovery of a vulnerability in the Apache web server software tracked as CVE-2024-38475, discovered by Orange Tsai. The flaw allows unauthorized file reading, and its presence in the SonicWall configuration makes the appliance vulnerable.

The second critical vulnerability, CVE-2023-44221, is a command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd. This weakness allows an attacker who has already gained some level of access to execute their own commands on the affected system.

The combination of these two vulnerabilities is particularly concerning. The file read vulnerability (CVE-2024-38475) can be used to extract sensitive information, such as administrator session tokens, effectively bypassing the need for login credentials. Once this initial foothold is established, the command injection vulnerability (CVE-2023-44221) can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise.

The vulnerabilities affect the SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The blog post reveals the technical steps involved, including exploiting the Apache “Filename Confusion” and “DocumentRoot Confusion,” and accessing sensitive files like the session database.

Researchers even demonstrated how to overcome challenges in reliably extracting this data by using techniques like requesting the file in chunks to exploit the command injection flaw, and even bypass initial attempts at security measures implemented in the SonicWall software.

In their report, watchTowr researchers note that these vulnerabilities could be chained together to achieve a complete system takeover. Reportedly, CVE-2023-44221 was patched in December 2023 (firmware version 10.2.1.10-62sv and higher), and CVE-2024-38475 was patched in December 2024 (firmware version 10.2.1.14-75sv and higher).

WatchTowr has also developed a tool (Detection Artefact Generator) to detect and exploit vulnerabilities. This tool can help organizations assess their risk, implement necessary patches, and secure measures

The fact that CISA added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue on May 1, 2025, and mandated federal agencies to apply the patches by May 22, 2025, highlights the urgency of the situation. That’s why it is crucial to promptly address them in critical edge devices like the SonicWall SMA100.