The vulnerabilities affect SonicWall's SMA devices for secure remote access, which threat actors have heavily targeted in the past. CISA added two older SonicWall bugs to the Known Exploited Vulnerabilities (KEV) catalog, marking the latest threat activity targeting the network security vendor's products. The vulnerabilities are tracked as CVE-2023-44221 and CVE-2024-38475 and affect SonicWall's SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v secure remote access products. They can be exploited remotely to inject OS commands and map URLs to file system locations. SonicWall vulnerabilities are popular targets for a variety of threat actors. In January 2025, CISA warned that another vulnerability affecting SonicWall SMA devices, tracked as CVE-2025-23006, was under attack.[1]
According to researchers at WatchTowr, CVE-2023-44221, which was given a CVSS score of 7.2, is an Apache HTTP pre-authentication arbitrary file read, and CVE-2024-38475, with a CVSS score of 9.8, is a post-authentication command injection. Patches have been available for both bugs since 2023 and 2024, respectively. However, SonicWall updated its advisories last week to note that the two vulnerabilities are "potentially" under exploitation in the wild, which could lead to attackers accessing certain files and hijacking user sessions. CISA is now stressing the importance of federal agencies patching the vulnerabilities by May 22.
The urgency has only heightened since WatchTowr Labs published technical details for the flaws on 02 May 2025, as well as insights into the exploitation activity. "Over the last few months, our client base has fed us rumors of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while," according to the WatchTowr blog post.
SonicWall is urging its customers to review their SMA devices to ensure that there are no current unauthorized logins.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/threat-intelligence/two-sonicwall-vulnerabilities-under-exploitation
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments