CVE-2023-44221 and CVE-2024-38475# Exploit chain targeting SonicWall’s Secure Mobile Access (SMA)

A newly exploit chain targeting SonicWall’s Secure Mobile Access (SMA) appliances has been released. Published by watchTowr Labs, the technical disclosure outlines how two distinct vulnerabilities—CVE-2023-44221 and CVE-2024-38475—can be weaponized together to enable remote, unauthenticated attackers to hijack admin sessions and execute arbitrary code.
Described by SonicWall as a critical vulnerability, CVE-2024-38475 resides in Apache HTTP Server’s mod_rewrite module, affecting version 2.4.59 and earlier. Improper escaping of output allows attackers to map malicious URLs to sensitive file paths, effectively bypassing authentication on affected SMA appliances.
CVE-2024-38475, a vulnerability in Apache HTTP Server, can be exploited to bypass authentication and gain administrative control over vulnerable SonicWall SMA appliances. This alone would pose a substantial risk—but paired with CVE-2023-44221, the danger escalates.
Unlike the pre-auth bug, CVE-2023-44221 is a post-authentication command injection vulnerability affecting the Diagnostics menu of the SMA management interface. Exploiting improper neutralization of special elements, authenticated attackers can inject system commands under the context of the nobody user. It enables attackers with admin privileges to inject arbitrary commands.
This flaw becomes especially dangerous when an attacker leverages CVE-2024-38475 to hijack a session or elevate privileges without needing valid credentials.
By chaining the two flaws, a threat actor could first use CVE-2024-38475 to gain access to restricted admin pages, steal session tokens, and then deploy CVE-2023-44221 to execute arbitrary commands on the device. WatchTowr Labs even published a working proof-of-concept (PoC) exploit chain for the public, emphasizing the urgency of patching.
The vulnerabilities impact the following SonicWall SMA appliances:
SMA 200SMA 210SMA 400SMA 410SMA 500vSonicWall has issued firmware version 10.2.1.14-75sv and later as the fix. The company also confirmed an additional exploitation technique involving CVE-2024-38475, stating: “Unauthorized access to certain files could enable session hijacking.”