watchTowr reveals energetic exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) probably resulting in full system takeover and session hijacking. Find out about affected fashions, accessible patches, and CISA’s pressing warning.
Cybersecurity researchers at watchTowr have noticed malicious risk actors actively leveraging recognized safety vulnerabilities in SonicWall’s broadly used SMA 100 (Safe Cellular Entry) home equipment.
This discovery, documented of their newest weblog put up shared with Hackread.com, reveals how attackers are combining two particular vulnerabilities to probably achieve full administrative management over these gadgets.
Proof suggests these strategies are already being employed in real-world assaults, making fast consciousness and motion important for affected companies. The investigation began after purchasers reported uncommon exercise on the SonicWall system, resulting in the invention of a vulnerability within the Apache net server software program tracked as CVE-2024-38475, found by Orange Tsai. The flaw permits unauthorized file studying, and its presence within the SonicWall configuration makes the equipment weak.
The second important vulnerability, CVE-2023-44221, is a command injection flaw found by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd. This weak spot permits an attacker who has already gained some stage of entry to execute their very own instructions on the affected system.
The mixture of those two vulnerabilities is especially regarding. The file learn vulnerability (CVE-2024-38475) can be utilized to extract delicate info, reminiscent of administrator session tokens, successfully bypassing the necessity for login credentials. As soon as this preliminary foothold is established, the command injection vulnerability (CVE-2023-44221) may be exploited to execute arbitrary instructions, probably resulting in session hijacking and full system compromise.
The vulnerabilities have an effect on the SMA 100 sequence home equipment, together with fashions SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The weblog put up reveals the technical steps concerned, together with exploiting the Apache “Filename Confusion” and “DocumentRoot Confusion,” and accessing delicate recordsdata just like the session database.
Researchers even demonstrated learn how to overcome challenges in reliably extracting this information by utilizing strategies like requesting the file in chunks to use the command injection flaw, and even bypass preliminary makes an attempt at safety measures applied within the SonicWall software program.
Of their report, watchTowr researchers observe that these vulnerabilities might be chained collectively to realize an entire system takeover. Reportedly, CVE-2023-44221 was patched in December 2023 (firmware model 10.2.1.10-62sv and better), and CVE-2024-38475 was patched in December 2024 (firmware model 10.2.1.14-75sv and better).
WatchTowr has additionally developed a software (Detection Artefact Generator) to detect and exploit vulnerabilities. This software will help organizations assess their threat, implement mandatory patches, and safe measures
The truth that CISA added these vulnerabilities to its Recognized Exploited Vulnerabilities (KEV) catalogue on Might 1, 2025, and mandated federal companies to use the patches by Might 22, 2025, highlights the urgency of the scenario. That’s why it’s essential to promptly tackle them in important edge gadgets just like the SonicWall SMA100.
