watchTowr reveals lively exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) probably resulting in full system takeover and session hijacking. Study affected fashions, obtainable patches, and CISA’s pressing warning.
Cybersecurity researchers at watchTowr have noticed malicious menace actors actively leveraging identified safety vulnerabilities in SonicWall’s broadly used SMA 100 (Safe Cellular Entry) home equipment.
This discovery, documented of their newest weblog publish shared with Hackread.com, reveals how attackers are combining two particular vulnerabilities to probably achieve full administrative management over these units.
Proof suggests these methods are already being employed in real-world assaults, making speedy consciousness and motion essential for affected companies. The investigation began after shoppers reported uncommon exercise on the SonicWall system, resulting in the invention of a vulnerability within the Apache net server software program tracked as CVE-2024-38475, found by Orange Tsai. The flaw permits unauthorized file studying, and its presence within the SonicWall configuration makes the equipment weak.
The second essential vulnerability, CVE-2023-44221, is a command injection flaw found by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd. This weak point permits an attacker who has already gained some degree of entry to execute their very own instructions on the affected system.
The mixture of those two vulnerabilities is especially regarding. The file learn vulnerability (CVE-2024-38475) can be utilized to extract delicate info, reminiscent of administrator session tokens, successfully bypassing the necessity for login credentials. As soon as this preliminary foothold is established, the command injection vulnerability (CVE-2023-44221) could be exploited to execute arbitrary instructions, probably resulting in session hijacking and full system compromise.
The vulnerabilities have an effect on the SMA 100 sequence home equipment, together with fashions SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The weblog publish reveals the technical steps concerned, together with exploiting the Apache “Filename Confusion” and “DocumentRoot Confusion,” and accessing delicate information just like the session database.
Researchers even demonstrated the way to overcome challenges in reliably extracting this knowledge through the use of methods like requesting the file in chunks to use the command injection flaw, and even bypass preliminary makes an attempt at safety measures carried out within the SonicWall software program.
Of their report, watchTowr researchers notice that these vulnerabilities might be chained collectively to realize an entire system takeover. Reportedly, CVE-2023-44221 was patched in December 2023 (firmware model 10.2.1.10-62sv and better), and CVE-2024-38475 was patched in December 2024 (firmware model 10.2.1.14-75sv and better).
WatchTowr has additionally developed a software (Detection Artefact Generator) to detect and exploit vulnerabilities. This software might help organizations assess their danger, implement mandatory patches, and safe measures
The truth that CISA added these vulnerabilities to its Identified Exploited Vulnerabilities (KEV) catalogue on Could 1, 2025, and mandated federal companies to use the patches by Could 22, 2025, highlights the urgency of the state of affairs. That’s why it’s essential to promptly handle them in essential edge units just like the SonicWall SMA100.
