Sonic Wall confirms exploitation of two SMA 100 bugs, one critical

Sonic Wall on April 29 said that two bugs affecting its SMA 100 Series remote access devices — one of them a 9.8 critical flaw — was observed being exploited in the wild.

Customers were urged by Sonic Wall to review their SMA devices to ensure that there are no unauthorized log-ins.

The critical bug — CVE-2024-38475 — was a path traversal vulnerability that could let attackers map URLs to file system locations that are permitted by the server. The second bug — CVE-2023-44221 — was a 7.2 flaw that lets attackers execute OS command injection.

Security experts said the real fear with these exploited bugs is that attackers could enter the network via remote access and then move laterally once they are in the corporate network.

“And with the [critical] vulnerability, attackers can load any file from remote locations and execute it, so the hacker just references the file and can easily execute attacks,” said Lawrence Pingree, vice president at Dispersive. “One thing that’s most scary is that once these types of appliances are breached, they sit right in the data path, so can readily access decrypted data or breach encryption keys used for cryptography.”

Pingree advises security teams to start a micro-segmentation and zero-trust isolation project right away. Teams need to make certain that all infrastructure gets upgraded to infrastructure that no longer has exposed protocols and ports, eliminating the attack surface of infrastructure itself.  

Rom Carmel, co-founder and CEO at Apono, added that the potential for OS command injection, arbitrary file mapping, and session hijacking highlights the risks these bugs introduce, particularly given their known exploitation in the wild.

Carmel said organizations that use the affected SonicWall SMA devices should prioritize patching right away. Beyond patching, Carmel said teams should stay vigilant and focus on reviewing logs and enhancing monitoring for any anomalous activity.