SonicWall SMA VPN flaws (CVE-2023-44221, CVE-2024-38475) exploited. Patch now to prevent RCE, hijacking.
SonicWall, a leading cybersecurity firm, has issued urgent warnings to customers about two critical vulnerabilities in its Secure Mobile Access (SMA) appliances that attackers are actively exploiting. The flaws, tracked as CVE-2023-44221 and CVE-2024-38475, pose significant risks to organizations using affected VPN devices, prompting calls for immediate patching.
The first vulnerability, CVE-2023-44221, is a high-severity command injection flaw in the SMA100 series SSL-VPN management interface. Attackers with administrative privileges can exploit this bug to execute arbitrary commands as a low-privileged “nobody” user. SonicWall updated its advisory this week to confirm active exploitation, urging admins to audit logs for unauthorized access.
The second flaw, CVE-2024-38475, carries a critical severity rating and stems from improper escaping in Apache HTTP Server’s mod_rewrite module (versions 2.4.59 and earlier). This vulnerability allows unauthenticated remote attackers to execute code by manipulating URLs to access restricted files, potentially enabling session hijacking. SonicWall disclosed that “unauthorized access to certain files could enable attackers to hijack authenticated sessions,” amplifying risks for unpatched systems.
Affected devices include SMA 200, 210, 400, 410, and 500v appliances. Patches are available in firmware version 10.2.1.14-75sv or later.
This alert follows a series of security incidents involving SonicWall products. Earlier in June, the company flagged CVE-2021-20035, a high-severity remote code execution flaw patched in 2021, as under active exploitation. Cybersecurity firm Arctic Wolf reported attacks leveraging this vulnerability since at least January 2025—a timeline discrepancy that raises questions, though experts speculate a possible typographical error (likely 2024).
In January 2024, SonicWall addressed a zero-day flaw in SMA1000 secure access gateways, and in February, it warned of an authentication bypass vulnerability in Gen 6 and Gen 7 firewalls that enabled VPN session hijacking. These repeated incidents underscore persistent targeting of SonicWall’s network infrastructure products.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog on June 6, mandating federal agencies to remediate the issue by June 27. While this directive applies to government networks, private organizations are strongly encouraged to follow suit.
SonicWall’s Product Security Incident Response Team (PSIRT) advises customers to:
“The discovery of these exploitation techniques highlights the need for layered defenses,” SonicWall stated. “Proactive monitoring and rapid patching are critical.”
With threat actors aggressively targeting VPN vulnerabilities, organizations relying on SonicWall’s SMA devices must prioritize updates to avoid disruptive breaches. The convergence of newly exploited flaws and legacy vulnerabilities still under attack paints a stark picture: in today’s threat landscape, delayed patching is not an option.