CVE-2023-44221
published 2023-12-05CVE-2023-44221: Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to…
PriorityP184high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-05-22
Exploited in the wild
EPSS
74.93%
99.4th percentile
Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma100 | — | — |
| sonicwall | sma_200_firmware | <= 10.2.1.9-57sv | — |
| sonicwall | sma_210_firmware | <= 10.2.1.9-57sv | — |
| sonicwall | sma_400_firmware | <= 10.2.1.9-57sv | — |
| sonicwall | sma_410_firmware | <= 10.2.1.9-57sv | — |
| sonicwall | sma_500v_firmware | <= 10.2.1.9-57sv | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SMA100 SSL-VPN management interface for authenticated admin sessions issuing unexpected OS commands executed as the 'nobody' user — indicative of CVE-2023-44221 post-authentication command injection. ↗
- →Review SMA100 device logs for unauthorized logins, as SonicWall PSIRT specifically recommends this as an indicator of active exploitation of CVE-2023-44221. ↗
- →Detect exploitation attempts via HTTP GET requests to SMA100 appliances containing URL-encoded '?' (%3f) followed by a CSS extension pattern (e.g., %3f.1.1.1.1a-1.css) targeting internal filesystem paths such as /tmp/temp.db or /mnt/ram/var/log/httpd.log — characteristic of the CVE-2024-38475 mod_rewrite abuse chained with CVE-2023-44221. ↗
- →Use Shodan query 'html:"SonicWall" html:"SMA"' to identify internet-exposed SMA100 appliances potentially vulnerable to CVE-2023-44221 and CVE-2024-38475. ↗
- →Affected devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v; flag any of these running firmware older than 10.2.1.14-75sv as high-priority targets for active exploitation. ↗
- ·Exploitation of CVE-2023-44221 requires the attacker to already hold administrative credentials on the SMA100 management interface; this is a post-authentication vulnerability, meaning initial access or credential compromise is a prerequisite. ↗
- ·CVE-2023-44221 is actively being chained with the pre-authentication file read vulnerability CVE-2024-38475 (Apache mod_rewrite improper escaping) to achieve full unauthenticated RCE; detections should account for both CVEs being used together. ↗
- ·Commands injected via CVE-2023-44221 execute only as the low-privileged 'nobody' user, which may limit but does not eliminate post-exploitation impact. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SonicWall SMA100 Appliances OS Command Injection Vulnerability
cisa·2025-05-01·CVSS 7.2
CVE-2023-44221 [HIGH] CWE-78 SonicWall SMA100 Appliances OS Command Injection Vulnerability
Vulnerability: SonicWall SMA100 Appliances OS Command Injection Vulnerability
Affected: SonicWall SMA100 Appliances
SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018 ; https://nvd.nist.gov/vuln/detail/CVE-2023-44221
Remediation Due Date: 2025-05-22
VulnCheck
Apache HTTP Server Improper Escaping of Output Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-38475 [CRITICAL] CWE-116 Apache HTTP Server Improper Escaping of Output Vulnerability
Apache HTTP Server Improper Escaping of Output Vulnerability
Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
Affected: Apache HTTP Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://labs.watchtowr.com/sonicboom-from-
GHSA
GHSA-q6mf-v98h-w783: Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative priv
ghsa_unreviewed·2023-12-05
CVE-2023-44221 [HIGH] CWE-78 GHSA-q6mf-v98h-w783: Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative priv
Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.
VulnCheck
SonicWall SMA100 Appliances OS Command Injection Vulnerability
vulncheck·2023·CVSS 7.2
CVE-2023-44221 [HIGH] CWE-78 SonicWall SMA100 Appliances OS Command Injection Vulnerability
SonicWall SMA100 Appliances OS Command Injection Vulnerability
SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user.
Affected: SonicWall SMA100 Appliances
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-4422
No detection rules found.
Nuclei
Sonicwall - Pre-Authentication Arbitrary File Read
nuclei·CVSS 9.1
CVE-2024-38475 [CRITICAL] Sonicwall - Pre-Authentication Arbitrary File Read
Sonicwall - Pre-Authentication Arbitrary File Read
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Template:
id: CVE-2024-38475
info:
name: Sonicwall - Pre-Authentication Arbitrary File Read
author: shaikhyaser
severity: critical
descripti
Wiz
Crying Out Cloud Newsletter - June 2025 | Wiz
blogs_wiz·2025-06-01·CVSS 9.8
[CRITICAL] Crying Out Cloud Newsletter - June 2025 | Wiz
Welcome back!
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Here are our top picks of cloud security highlights!
## 🔍 Highlights
## Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild
On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of t
Bleepingcomputer
SonicWall urges admins to patch VPN flaw exploited in attacks
blogs_bleepingcomputer·2025-05-08·CVSS 8.8
CVE-2025-32819 [HIGH] SonicWall urges admins to patch VPN flaw exploited in attacks
## SonicWall urges admins to patch VPN flaw exploited in attacks
## Sergiu Gatlan
SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.
Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.
The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.
"SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release
Checkpoint
5th May – Threat Intelligence Report
blogs_checkpoint·2025-05-05
CVE-2023-44221 5th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Three major UK retailers – Co-op , Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered Spider gang, while DragonForce ransomware gang claimed responsibility for the attacks.
The American non-profit healthcare system,
Bleepingcomputer
SonicWall warns of more VPN flaws exploited in attacks
blogs_bleepingcomputer·2025-04-30·CVSS 6.5
CVE-2023-44221 [MEDIUM] SonicWall warns of more VPN flaws exploited in attacks
## SonicWall warns of more VPN flaws exploited in attacks
## Sergiu Gatlan
Cybersecurity company SonicWall has warned customers that two older vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
On Tuesday, SonicWall updated security advisories for the CVE-2023-44221 and CVE-2024-38475 security flaws to tag the two vulnerabilities as "potentially being exploited in the wild."
CVE-2023-44221 is described as a high-severity command injection vulnerability caused by improper neutralization of special elements in the SMA100 SSL-VPN management interface that enables attackers with admin privileges to inject arbitrary commands as a 'nobody' user.
The second security bug, CVE-2024-38475, is rated as a critical severity flaw caused
2023-12-05
Published
2025-05-01
Added to CISA KEV
Exploited in the wild