SonicBoom: Exploiting SonicWall SMA100 via CVE-2023-44221 and CVE-2024-38475
Overview
In May 2025, WatchTowr Labs published an in-depth analysis of two critical vulnerabilities affecting SonicWall's Secure Mobile Access (SMA) 100 series appliances. These vulnerabilities, CVE-2023-44221 and CVE-2024-38475, can be chained to achieve unauthenticated remote code execution, posing significant risks to organizations relying on these devices for secure remote access.2
Vulnerability Details
CVE-2024-38475: Apache HTTP Server Pre-Authentication Arbitrary File Read
- Discovered by: 580-3Orange Tsai
- Affected Component: 580-5Apache HTTP Server's
mod_rewrite module
- Description: 580-7This vulnerability allows an unauthenticated attacker to read arbitrary files on the server by exploiting a flaw in the URL rewriting mechanism.
- Impact on SMA100: 580-9Attackers can read sensitive files, including session tokens, without authentication.
- Reference: Orange Tsai's Research15
CVE-2023-44221: Post-Authentication Command Injection
- Discovered by: 1178-2Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd
- Affected Component: 1178-4SonicWall SMA100's management interface
- Description: 1178-6An authenticated attacker with administrative privileges can inject arbitrary OS commands due to improper input validation.
- Impact: 1178-8Execution of arbitrary commands on the underlying operating system as the 'nobody' user.
- Reference: NVD Entry28
Exploitation Chain
The exploitation process involves the following steps:
- Arbitrary File Read: 1704-3Utilizing CVE-2024-38475, an attacker reads sensitive files, such as session tokens, from the SMA100 appliance without authentication.
- Session Hijacking: 1704-5With the stolen session token, the attacker gains authenticated access to the management interface.
- Command Injection: 1704-7Leveraging CVE-2023-44221, the attacker injects and executes arbitrary commands on the appliance. 38
2204-0This chain effectively allows an unauthenticated attacker to achieve remote code execution on the SMA100 device. 42
Proof-of-Concept (PoC)
2321-1WatchTowr Labs has provided detailed reproduction steps and PoC code in their blog post: 46
👉 SonicBoom: From Stolen Tokens to Remote Shells
2441-1The blog includes step-by-step instructions and code snippets demonstrating the exploitation process. 50
Mitigation and Recommendations
- Patch Affected Systems: 2721-2SonicWall has released firmware updates addressing these vulnerabilities. 2721-3Ensure that your SMA100 appliances are updated to the latest firmware version.
- Restrict Access: 2721-5Limit access to the management interface to trusted networks and administrators.
- Monitor Logs: 2721-7Regularly review logs for any unauthorized access or suspicious activities.
- Implement Web Application Firewall (WAF): 2721-9Deploy a WAF to help detect and block malicious requests targeting known vulnerabilities. 66
Conclusion
3289-1The chaining of CVE-2024-38475 and CVE-2023-44221 highlights the critical importance of timely patching and vigilant security practices. 3289-2Organizations using SonicWall SMA100 appliances should take immediate action to mitigate these vulnerabilities and protect their networks from potential exploitation. 73
For a comprehensive walkthrough and technical details, refer to WatchTowr Labs' original blog post:
👉 SonicBoom: From Stolen Tokens to Remote Shells
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
