Headline
watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover…
watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover and session hijacking. Learn about affected models, available patches, and CISA’s urgent warning.
Cybersecurity researchers at watchTowr have spotted malicious threat actors actively leveraging known security vulnerabilities in SonicWall’s widely used SMA 100 (Secure Mobile Access) appliances.
This discovery, documented in their latest blog post shared with Hackread.com, reveals how attackers are combining two specific vulnerabilities to potentially gain complete administrative control over these devices.
Evidence suggests these techniques are already being employed in real-world attacks, making immediate awareness and action critical for affected businesses. The investigation started after clients reported unusual activity on the SonicWall system, leading to the discovery of a vulnerability in the Apache web server software tracked as CVE-2024-38475, discovered by Orange Tsai. The flaw allows unauthorized file reading, and its presence in the SonicWall configuration makes the appliance vulnerable.
The second critical vulnerability, CVE-2023-44221, is a command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd. This weakness allows an attacker who has already gained some level of access to execute their own commands on the affected system.
The combination of these two vulnerabilities is particularly concerning. The file read vulnerability (CVE-2024-38475) can be used to extract sensitive information, such as administrator session tokens, effectively bypassing the need for login credentials. Once this initial foothold is established, the command injection vulnerability (CVE-2023-44221) can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise.
The vulnerabilities affect the SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The blog post reveals the technical steps involved, including exploiting the Apache “Filename Confusion” and “DocumentRoot Confusion,” and accessing sensitive files like the session database.
Researchers even demonstrated how to overcome challenges in reliably extracting this data by using techniques like requesting the file in chunks to exploit the command injection flaw, and even bypass initial attempts at security measures implemented in the SonicWall software.
In their report, watchTowr researchers note that these vulnerabilities could be chained together to achieve a complete system takeover. Reportedly, CVE-2023-44221 was patched in December 2023 (firmware version 10.2.1.10-62sv and higher), and CVE-2024-38475 was patched in December 2024 (firmware version 10.2.1.14-75sv and higher).
WatchTowr has also developed a tool (Detection Artefact Generator) to detect and exploit vulnerabilities. This tool can help organizations assess their risk, implement necessary patches, and secure measures
The fact that CISA added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue on May 1, 2025, and mandated federal agencies to apply the patches by May 22, 2025, highlights the urgency of the situation. That’s why it is crucial to promptly address them in critical edge devices like the SonicWall SMA100.
Related news
About Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475) vulnerability. Improper escaping of output in mod_rewrite module leads to remote code execution or arbitrary file reading. Successful exploitation does not require authentication. 🔻 Apache HTTP Server 2.4.60, which includes a fix for this vulnerability, was released on July 1, 2024. Orange […]
Gentoo Linux Security Advisory 202409-31 - Multiple vulnerabilities have been found in Apache HTTPD, the worst of which could result in denial of service. Versions greater than or equal to 2.4.62 are affected.
Ubuntu Security Notice 6885-3 - USN-6885-1 fixed several vulnerabilities in Apache. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions.
Red Hat Security Advisory 2024-4938-03 - An update for httpd is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a null pointer vulnerability.
Red Hat Security Advisory 2024-4830-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a null pointer vulnerability.
Red Hat Security Advisory 2024-4827-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a null pointer vulnerability.
Red Hat Security Advisory 2024-4820-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a null pointer vulnerability.
Debian Linux Security Advisory 5729-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service.
Ubuntu Security Notice 6885-2 - USN-6885-1 fixed vulnerabilities in Apache HTTP Server. One of the security fixes introduced a regression when proxying requests to a HTTP/2 server. This update fixes the problem. Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to h...
Ubuntu Security Notice 6885-1 - Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication.