The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding an actively exploited OS command injection vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 series appliances.
The flaw, tracked as CVE-2023-44221, allows remote, authenticated attackers with administrative privileges to inject arbitrary operating system commands via the SSL-VPN management interface, potentially leading to full system compromise.
Vulnerability Details and Impact
First disclosed in December 2023, CVE-2023-44221 has recently been confirmed as weaponized in real-world attacks, with exploitation observed in the wild as of April 2025.
The vulnerability arises from the improper neutralization of special elements in the SMA100 SSL-VPN management interface.
Attackers exploiting this flaw can execute commands as the ‘nobody’ user, which could result in unauthorized access, data exfiltration, or further infiltration of enterprise networks.
The affected products include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices running firmware versions 10.2.1.9-57sv and earlier.
SonicWall has released patches, urging all customers to upgrade to firmware version 10.2.1.14-75sv or later to mitigate the risk.
Active Exploitation and Broader Threat Landscape
Security researchers and SonicWall have confirmed that this vulnerability is being exploited in the wild, although details regarding the scope, targets, or attribution remain undisclosed.
The U.S. CISA has added CVE-2023-44221 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch affected systems by specified deadlines and encouraging all organizations to remediate immediately.
While it is currently unknown whether this vulnerability has been leveraged in ransomware campaigns, CISA and SonicWall emphasize the potential for severe consequences, including data breaches and disruption of critical services if left unpatched.
Mitigation Guidance
CISA and SonicWall recommend the following actions:
- Immediately apply all security updates and patches released by SonicWall for the SMA100 series.
- Review administrative and user access logs for signs of unusual activity or compromise.
- Implement multi-factor authentication and reset passwords for all local accounts.
- Limit VPN access to only necessary accounts and remove or disable unneeded accounts, including default admin accounts.
- Consider discontinuing use of the product if mitigations cannot be applied.
Risk Factor Table
| Risk Factor | Description | Severity |
|---|---|---|
| Vulnerability | OS Command Injection (CVE-2023-44221) in SMA100 SSL-VPN management interface | High (CVSS 7.2) |
| Exploitation Status | Confirmed active exploitation in the wild | Critical |
| Privilege Required | Remote, authenticated attacker with administrative privilege | High |
| Potential Impact | Arbitrary command execution as ‘nobody’ user; possible full system compromise | Severe |
| Ransomware Use | Unknown | Uncertain |
| Affected Devices | SMA 200, 210, 400, 410, 500v (firmware ≤ 10.2.1.9-57sv) | High |
| Patch Availability | Yes (10.2.1.14-75sv or later) | Mitigated if patched |
| Urgency of Action | Immediate patching or discontinuation if mitigation unavailable | Critical |
Organizations using SonicWall SMA100 appliances should act without delay to protect their networks from ongoing exploitation and evolving cyber threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Authenticated attackers with administrative privileges to inject arbitrary operating system commands via the SSL-VPN management interface){kind=link}