Two dangerous SonicWall vulnerabilities are now in the spotlight after proof-of-concept (PoC) exploit code was released—just as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially listed them in its Known Exploited Vulnerabilities (KEV) catalog.
The security flaws, tracked as CVE-2023-44221 and CVE-2024-38475, impact several SonicWall Secure Mobile Access (SMA) products. These include the SMA 200, 210, 400, 410, and 500v series—widely used for secure remote access across enterprises and government networks.
Exploits Published as CISA Issues Federal Patch Deadline
SonicWall recently updated its advisories to confirm that these bugs are actively being exploited in the wild. Within hours of this confirmation, watchTowr Labs released technical details and exploit demonstrations for both vulnerabilities. On the same day, CISA issued a federal mandate requiring agencies to patch the flaws by May 22, under Binding Operational Directive 22-01.
These vulnerabilities pose a serious risk:
- CVE-2024-38475 is an authentication bypass flaw, allowing attackers to gain admin-level access remotely.
- CVE-2023-44221 enables remote OS command injection under the ‘nobody’ user, potentially giving threat actors a foothold to execute further malicious actions.
Notably, CVE-2024-38475 stems from a flaw in the Apache HTTP Server, which SonicWall integrates into its SMA appliances—highlighting the cascading effect of upstream vulnerabilities in embedded systems.
SonicWall Patches Available, But Urgency Grows
SonicWall released patches for both flaws months ago—in December 2023 and December 2024 respectively. Systems running SMA 100 series firmware version 10.2.1.14-75sv or later are not affected.
Despite the availability of fixes, many organizations may still be lagging behind on updates. With exploit code now publicly available, the threat landscape has drastically shifted. WatchTowr Labs emphasized that the release of their detection tools was a direct response to the reality that attackers already possess the knowledge to exploit unpatched systems.
What Security Teams Should Do Next
SonicWall devices have long been a popular target for cybercriminals and state-sponsored actors, particularly because of their role in secure remote access. With these newly weaponized flaws, the risks are no longer hypothetical.
All organizations—especially those using SMA 100 series or impacted configurations—should:
- Immediately apply all available patches
- Review the CISA KEV catalog for additional affected products
- Monitor systems for suspicious activity related to these vulnerabilities
The clock is ticking. CISA’s deadline of May 22 serves as both a warning and a call to action. Once exploits are in the wild, attackers waste no time.
