⚠ Actively exploited
Added to CISA KEV on 2025-05-01. Federal agencies required to patch by 2025-05-22. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2023-44221 — OS Command Injection in Sma100
Severity
7.2HIGHNVD
EPSS
21.7%
top 4.24%
CISA KEV
KEV
Added 2025-05-01
Due 2025-05-22
Exploit
No known exploits
Affected products
Timeline
PublishedDec 5
KEV addedMay 1
KEV dueMay 22
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9
Affected Packages6 packages
🔴Vulnerability Details
3GHSA▶
GHSA-q6mf-v98h-w783: Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative priv↗2023-12-05
CVEList▶
CVE-2023-44221: Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative priv↗2023-12-05