SonicWall, a leading cybersecurity firm, has issued urgent warnings to customers about two critical vulnerabilities in its Secure Mobile Access (SMA) appliances that attackers are actively exploiting. The flaws, tracked as CVE-2023-44221 and CVE-2024-38475, pose significant risks to organizations using affected VPN devices, prompting calls for immediate patching.

Critical and High-Severity Flaws Under Active Exploitation

The first vulnerability, CVE-2023-44221, is a high-severity command injection flaw in the SMA100 series SSL-VPN management interface. Attackers with administrative privileges can exploit this bug to execute arbitrary commands as a low-privileged “nobody” user. SonicWall updated its advisory this week to confirm active exploitation, urging admins to audit logs for unauthorized access.

The second flaw, CVE-2024-38475, carries a critical severity rating and stems from improper escaping in Apache HTTP Server’s mod_rewrite module (versions 2.4.59 and earlier). This vulnerability allows unauthenticated remote attackers to execute code by manipulating URLs to access restricted files, potentially enabling session hijacking. SonicWall disclosed that “unauthorized access to certain files could enable attackers to hijack authenticated sessions,” amplifying risks for unpatched systems.

Affected devices include SMA 200, 210, 400, 410, and 500v appliances. Patches are available in firmware version 10.2.1.14-75sv or later.

A Pattern of Exploited Vulnerabilities

This alert follows a series of security incidents involving SonicWall products. Earlier in June, the company flagged CVE-2021-20035, a high-severity remote code execution flaw patched in 2021, as under active exploitation. Cybersecurity firm Arctic Wolf reported attacks leveraging this vulnerability since at least January 2025—a timeline discrepancy that raises questions, though experts speculate a possible typographical error (likely 2024).

In January 2024, SonicWall addressed a zero-day flaw in SMA1000 secure access gateways, and in February, it warned of an authentication bypass vulnerability in Gen 6 and Gen 7 firewalls that enabled VPN session hijacking. These repeated incidents underscore persistent targeting of SonicWall’s network infrastructure products.

Federal Agencies Directed to Patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog on June 6, mandating federal agencies to remediate the issue by June 27. While this directive applies to government networks, private organizations are strongly encouraged to follow suit.

Recommendations for Mitigation

SonicWall’s Product Security Incident Response Team (PSIRT) advises customers to:

1. Immediately upgrade SMA appliances to firmware version 10.2.1.14-75sv or newer.
2. Audit device logs for signs of unauthorized access or unusual activity.
3. Enforce strict access controls on administrative interfaces and monitor privileged accounts.
4. Apply patches for older vulnerabilities, including CVE-2021-20035 and firewall flaws.

“The discovery of these exploitation techniques highlights the need for layered defenses,” SonicWall stated. “Proactive monitoring and rapid patching are critical.”

With threat actors aggressively targeting VPN vulnerabilities, organizations relying on SonicWall’s SMA devices must prioritize updates to avoid disruptive breaches. The convergence of newly exploited flaws and legacy vulnerabilities still under attack paints a stark picture: in today’s threat landscape, delayed patching is not an option.