CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding an actively exploited OS command injection vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 series appliances.

The flaw, tracked as CVE-2023-44221, allows remote, authenticated attackers with administrative privileges to inject arbitrary operating system commands via the SSL-VPN management interface, potentially leading to full system compromise.

Vulnerability Details and Impact

First disclosed in December 2023, CVE-2023-44221 has recently been confirmed as weaponized in real-world attacks, with exploitation observed in the wild as of April 2025.

The vulnerability arises from the improper neutralization of special elements in the SMA100 SSL-VPN management interface.

Attackers exploiting this flaw can execute commands as the ‘nobody’ user, which could result in unauthorized access, data exfiltration, or further infiltration of enterprise networks.

The affected products include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices running firmware versions 10.2.1.9-57sv and earlier.

SonicWall has released patches, urging all customers to upgrade to firmware version 10.2.1.14-75sv or later to mitigate the risk.

Active Exploitation and Broader Threat Landscape

Security researchers and SonicWall have confirmed that this vulnerability is being exploited in the wild, although details regarding the scope, targets, or attribution remain undisclosed.

The U.S. CISA has added CVE-2023-44221 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch affected systems by specified deadlines and encouraging all organizations to remediate immediately.

While it is currently unknown whether this vulnerability has been leveraged in ransomware campaigns, CISA and SonicWall emphasize the potential for severe consequences, including data breaches and disruption of critical services if left unpatched.

Mitigation Guidance

CISA and SonicWall recommend the following actions:

• Immediately apply all security updates and patches released by SonicWall for the SMA100 series.
• Review administrative and user access logs for signs of unusual activity or compromise.
• Implement multi-factor authentication and reset passwords for all local accounts.
• Limit VPN access to only necessary accounts and remove or disable unneeded accounts, including default admin accounts.
• Consider discontinuing use of the product if mitigations cannot be applied.

Risk Factor Table

Risk Factor	Description	Severity
Vulnerability	OS Command Injection (CVE-2023-44221) in SMA100 SSL-VPN management interface	High (CVSS 7.2)
Exploitation Status	Confirmed active exploitation in the wild	Critical
Privilege Required	Remote, authenticated attacker with administrative privilege	High
Potential Impact	Arbitrary command execution as ‘nobody’ user; possible full system compromise	Severe
Ransomware Use	Unknown	Uncertain
Affected Devices	SMA 200, 210, 400, 410, 500v (firmware ≤ 10.2.1.9-57sv)	High
Patch Availability	Yes (10.2.1.14-75sv or later)	Mitigated if patched
Urgency of Action	Immediate patching or discontinuation if mitigation unavailable	Critical

Organizations using SonicWall SMA100 appliances should act without delay to protect their networks from ongoing exploitation and evolving cyber threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw appeared first on Cyber Security News.