SonicWall has confirmed that two critical security flaws in its SMA 100 Series devices have been actively exploited. The company urged all customers to apply available patches immediately and inspect their systems for signs of compromise.
These newly disclosed SonicWall vulnerabilities affect the Secure Mobile Access (SMA) 100 Series, including models SMA 200, 210, 400, 410, and 500v. SonicWall released patches for both issues in previous updates but has now revealed that threat actors are exploiting the flaws in the wild.
Details of the SonicWall Vulnerabilities
The first flaw, tracked as CVE-2023-44221, carries a CVSS score of 7.2. It is an OS command injection vulnerability in the SSL-VPN management interface. An attacker with administrative privileges can inject arbitrary commands as the ‘nobody’ user. This attack could lead to full command execution on the device. SonicWall patched this flaw in version 10.2.1.10-62sv and later, released on December 4, 2023.
The second and more severe flaw, CVE-2024-38475, has a CVSS score of 9.8. It impacts the Apache HTTP Server (version 2.4.59 and earlier) bundled within SMA firmware. Improper escaping of output in mod_rewrite allows attackers to manipulate URLs to access restricted file paths. This can expose sensitive files and may allow further exploitation. SonicWall addressed this issue in version 10.2.1.14-75sv, released on December 4, 2024.
In an April 29, 2025 advisory update, SonicWall warned that these flaws have been actively exploited in real-world attacks. They also identified an additional exploitation method for CVE-2024-38475, which could allow attackers to hijack active sessions by accessing specific files.
Customers Urged to Act Quickly
While SonicWall has not disclosed how these vulnerabilities are being exploited or who is behind the attacks, they are encouraging all users to check for unauthorized logins and apply the latest security updates.
The company said in its statement: “During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking.”
These revelations come shortly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a separate SonicWall flaw, CVE-2021-20035 (CVSS 7.2), to its Known Exploited Vulnerabilities (KEV) catalog. That flaw also affects SMA 100 Series devices and was added based on active exploitation data.
Given the recurring pattern of SonicWall devices being targeted, customers should treat these risks as urgent. Attackers are clearly focusing on exploiting edge devices like VPN gateways and remote access systems to infiltrate networks.
Best Practices for Users:
- Immediately apply firmware updates for SMA 100 Series devices
- Verify running software versions meet the patched release (10.2.1.10-62sv and 10.2.1.14-75sv or later)
- Monitor device logs for unusual activity or unauthorized access
- Rotate admin credentials as a precaution
- Enable MFA (multi-factor authentication) where possible
With attackers actively hunting for exploitable edge devices, delayed patching could leave networks exposed. Organizations using SonicWall’s SMA appliances must remain vigilant, as the SonicWall vulnerabilities continue to pose a real-world threat to enterprise security.
