Pierluigi Paganini May 02, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
• CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability

This week, SonicWall revealed that attackers actively exploited two security vulnerabilities, tracked as CVE-2023-44221 and CVE-2024-38475, in its SMA100 Secure Mobile Access appliances.

CVE-2024-38475 (CVSS score: 9.8) is an improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier. An attacker can exploit the flaw to map URLs to file system locations that are permitted to be served by the server

CVE-2023-44221 (CVSS score: 7.2) is an improper neutralization of special elements in the SMA100 SSL-VPN management interface. A remote authenticated attacker with administrative privilege can exploit the flaw to inject arbitrary commands as a ‘nobody’ user, potentially leading to OS Command Injection Vulnerability.

“During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described.” reads the advisory updated on April 29, 2025,. “During further analysis, SonicWall and trusted security partners identified that ‘CVE-2023-44221 – Post Authentication OS Command Injection’ vulnerability is potentially being exploited in the wild.”

Both flaws impact SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v. The company addressed the flaws with the following releases:

• CVE-2023-44221 – 10.2.1.10-62sv and higher versions (Fixed on December 4, 2023)
• CVE-2024-38475 – 10.2.1.14-75sv and higher versions (Fixed on December 4, 2024)

The company has not provided technical details about the attacks exploiting the vulnerabilities, nor has it attributed them to any specific threat actor.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 22, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)