cbcvebase.
CVE-2023-44221
published 2023-12-05

CVE-2023-44221: Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to…

PriorityP184high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-05-22
Exploited in the wild
EPSS
74.93%
99.4th percentile
Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
sonicwallsma100
sonicwallsma_200_firmware<= 10.2.1.9-57sv
sonicwallsma_210_firmware<= 10.2.1.9-57sv
sonicwallsma_400_firmware<= 10.2.1.9-57sv
sonicwallsma_410_firmware<= 10.2.1.9-57sv
sonicwallsma_500v_firmware<= 10.2.1.9-57sv

Detection & IOCsextracted from sources · hover to see the quote

url/tmp/temp.db%3f.1.1.1.1a-1.css
url/mnt/ram/var/log/httpd.log%3f.1.1.1.1a-1.css
path/tmp/temp.db
  • Monitor SMA100 SSL-VPN management interface for authenticated admin sessions issuing unexpected OS commands executed as the 'nobody' user — indicative of CVE-2023-44221 post-authentication command injection.
  • Review SMA100 device logs for unauthorized logins, as SonicWall PSIRT specifically recommends this as an indicator of active exploitation of CVE-2023-44221.
  • Detect exploitation attempts via HTTP GET requests to SMA100 appliances containing URL-encoded '?' (%3f) followed by a CSS extension pattern (e.g., %3f.1.1.1.1a-1.css) targeting internal filesystem paths such as /tmp/temp.db or /mnt/ram/var/log/httpd.log — characteristic of the CVE-2024-38475 mod_rewrite abuse chained with CVE-2023-44221.
  • Use Shodan query 'html:"SonicWall" html:"SMA"' to identify internet-exposed SMA100 appliances potentially vulnerable to CVE-2023-44221 and CVE-2024-38475.
  • Affected devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v; flag any of these running firmware older than 10.2.1.14-75sv as high-priority targets for active exploitation.
  • ·Exploitation of CVE-2023-44221 requires the attacker to already hold administrative credentials on the SMA100 management interface; this is a post-authentication vulnerability, meaning initial access or credential compromise is a prerequisite.
  • ·CVE-2023-44221 is actively being chained with the pre-authentication file read vulnerability CVE-2024-38475 (Apache mod_rewrite improper escaping) to achieve full unauthenticated RCE; detections should account for both CVEs being used together.
  • ·Commands injected via CVE-2023-44221 execute only as the low-privileged 'nobody' user, which may limit but does not eliminate post-exploitation impact.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.1CRITICAL
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.