πŸ”΄ CVE-2023-44221

SonicWall SMA100 SSL-VPN appliances contain an OS command injection vulnerability in the management interface allowing authenticated administrators to execute arbitrary commands. These appliances are specifically designed to be internet-facing and this vulnerability is actively exploited in the wild.

← Back to Overview
HIGH_RISK
Risk Level
7.2
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1133 β€” External Remote Services
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-12-05

Added to CISA KEV: 2025-05-01 513 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2023-44221 is a critical security vulnerability affecting SonicWall SMA100 series appliances. Below is a summary of the known details regarding this flaw.

Overview and Impact
  • Vulnerability Type: Post-authentication OS Command Injection [2].
  • Impact: Successful exploitation allows an attacker to inject and execute arbitrary commands on the underlying operating system as a `nobody` user [1]. This can lead to full compromise of the appliance, potentially allowing for further lateral movement within the network.
Exploitation and Requirements
  • Active Exploitation: SonicWall and security partners have confirmed that this vulnerability has been exploited in the wild [2] [4].
  • Requirements:
* Network Access: The attack is remote, meaning it can be performed over the network [1]. * Authentication: Crucially, this is a post-authentication vulnerability. An attacker must already possess valid administrative credentials for the SSL-VPN management interface to successfully exploit it [1] [3].
  • Threat Actor Usage: While active exploitation has been confirmed, specific attribution to named ransomware groups or targeted campaigns is not publicly detailed in standard vulnerability disclosures. However, its nature as a post-authentication flaw often implies it is used by attackers who have already gained initial access via other means (e.g., credential theft or phishing).
Affected Products and Mitigation
  • Affected Models: SonicWall SMA 100 series, specifically models 200, 210, 400, 410, and 500v [3].
  • Affected Versions: Firmware versions up to and including 10.2.1.9-57sv [3].
  • Patch Status: The vulnerability was addressed in firmware version 10.2.1.10-62sv and subsequent releases [2]. Users are strongly advised to update to the latest available firmware version to ensure all known vulnerabilities are patched [4].
Exploit Availability
Public proof-of-concept (PoC) code or automated exploit tools are generally not recommended for use outside of authorized security testing. Given that this is a post-authentication vulnerability, exploit scripts typically focus on automating the injection of commands into the management interface after the attacker has established an authenticated session.

Sources

  1. CVE-2023-44221 Detail - NVD

    Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to ... CVE-2023-44221 Detail. Description. Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remot…

  2. CVE-2023-44221 - SonicWall Security Advisories

    1) CVE-2023-44221 - Post Authentication OS Command Injection Vulnerability. Improper neutralization of special elements in the SMA100 ... Note: During further analysis, SonicWall and trusted security partners identified that 'CVE-2023-44221 - Post Authentication OS Command Injection' vulnerability i…

  3. CVE-2023-44221 - SonicWall SMA100 Appliances OS... - SecAlerts

    To mitigate CVE-2023-44221, users should upgrade to the latest firmware versions of the SonicWall SMA series that address this vulnerability. Who is affected by CVE-2023-44221? CVE-2023-44221 impacts SonicWall SMA models 200, 210, 400, 410, and 500v running firmware versions up to and including 10.2…

  4. SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to...

    The shortcomings, that impact SMA 100 Series including SMA 200, 210, 400, 410, 500v, have been addressed in version 10.2.1.15-81sv. The development comes as multiple security flaws in SMA 100 Series devices have come under active exploitation in recent weeks, including CVE-2021-20035, CVE-2023-44221…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed