The US cybersecurity agency CISA added two SonicWall flaws to the Known Exploited Vulnerabilities (KEV) catalog on the same day that proof-of-concept (PoC) exploit code targeting them was published.
The exploitation of the two security defects, tracked as CVE-2023-44221 and CVE-2024-38475, came to light last week, when SonicWall updated its advisories to flag them as targeted in attacks.
Affecting SonicWall’s SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v secure remote access products, the flaws can be exploited remotely to inject OS commands and map URLs to file system locations.
Patches for both bugs have been available since December 2023 and December 2024, and SMA 100 series devices running a software version of 10.2.1.14-75sv or later are not vulnerable.
Shortly after SonicWall warned that attackers are exploiting CVE-2023-44221 and CVE-2024-38475 in the wild, CISA added them to the KEV catalog, urging federal agencies to patch them by May 22, as mandated by the Binding Operational Directive (BOD) 22-01.
On the same day, watchTowr Labs published technical details on two flaws, and explained how threat actors are likely chaining them in attacks to take over vulnerable appliances.
The exploitation of CVE-2024-38475, the cybersecurity firm notes, allows attackers to bypass authentication and obtain admin-level control over impacted appliances. Next, CVE-2023-44221 can be targeted to execute commands as the ‘nobody’ user.
It’s worth noting that CVE-2024-38475 was actually assigned to a vulnerability in Apache HTTP Server, which is used by the impacted SonicWall products.
“Our decision to publicly release our Detection Artefact Generator today revolves around the painful reality that attackers already have all the necessary information to exploit vulnerable appliances (as the CISA KEV addition signifies),” watchTowr notes.
It is not uncommon for threat actors to target SonicWall vulnerabilities, including zero-days. All organizations are advised to update their SMA 100 series appliances as soon as possible, and to prioritize the patching of any products affected by the vulnerabilities in CISA’s KEV.
Related: SonicWall Flags Old Vulnerability as Actively Exploited
Related: SonicWall Patches High-Severity Vulnerability in NetExtender
Related: SonicWall Firewall Vulnerability Exploited After PoC Publication
Related: SonicWall Confirms Exploitation of New SMA Zero-Day