If your organization uses SonicWall's Secure Mobile Access (SMA100) appliances, it's time to take action. SonicWall has confirmed that cyber attackers are actively exploiting two serious vulnerabilities in these devices, prompting warnings from both the company and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Here's what's happening and what you need to do.
Two Critical Flaws in the Spotlight
The affected appliances belong to the SMA100 series, including models like the SMA 200, 210, 400, 410, and 500v. Two separate vulnerabilities have been identified:
This is a command injection vulnerability found in the SSL-VPN management interface of SMA100 appliances. An authenticated attacker with admin rights can inject arbitrary OS commands by exploiting improper handling of special characters. This flaw resides in the Diagnostics menu and is considered post-authentication, meaning attackers need access to an admin account first.
This more severe vulnerability exists in Apache HTTP Server's mod_rewrite module, used by the SMA100 devices. Due to improper output escaping, attackers can manipulate URLs to access unauthorized files on the server. This issue could lead to full unauthenticated access and even administrative control, making it especially dangerous.
How Are Attackers Using These?
According to security analysts, the real threat emerges when both flaws are used together. Threat actors may first exploit CVE-2024-38475 to bypass authentication, then follow up with CVE-2023-44221 to run malicious commands. This chaining can allow them to hijack active sessions and steal admin tokens—granting full control over the device.
CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) list on May 1, 2025, further signaling the urgency of the threat. While details remain limited about who's being targeted or how widespread the attacks are, a public proof-of-concept (PoC) has already surfaced online—making unpatched systems even more vulnerable.
Which Versions Are Affected?
The following firmware versions are known to be vulnerable:
If you're running any of these on the listed SMA100 appliances, your systems are at risk.
Mitigation: Patch Now, Audit Immediately
SonicWall has already released security patches to address these vulnerabilities:
If your SMA devices haven't been updated yet, patch them immediately. Additionally, it's crucial to review system logs and check for unauthorized logins or suspicious activity that may indicate compromise.
Final Thoughts
These vulnerabilities highlight the increasing risk posed by exposed remote access appliances—often the first target in sophisticated cyberattacks. If you manage SonicWall SMA100 series devices, patching alone isn't enough. Continuous monitoring, session control, and a strong incident response plan are equally critical.
Comments