SonicWall has confirmed that two serious vulnerabilities in its Secure Mobile Access (SMA) 100 Series appliances are now being actively exploited in the wild, and it’s sounding the alarm for anyone who hasn’t applied recent patches.

The first issue, CVE-2023-44221, is a remote OS command injection vulnerability with a CVSS score of 7.2. It does require admin privileges to exploit, which slightly limits risk—but once an attacker has that access, they can execute arbitrary commands on the device. SonicWall released a patch for this in December 2023, but it’s now clear that adversaries have started weaponizing it.

The second flaw is far more urgent. CVE-2024-38475 is a critical path traversal vulnerability in the Apache HTTP Server, clocking in with a CVSS score of 9.8. This one doesn’t require authentication and can be exploited remotely to access file system paths that should be off-limits. SonicWall now says attackers have also discovered a new technique with this bug that could lead to session hijacking, depending on what files they’re able to access.

These vulnerabilities affect the following SonicWall models:

• SMA 200 / 210
• SMA 400 / 410
• SMA 500v

Patches for the two issues were included in software versions 10.2.1.10-62sv and 10.2.1.14-75sv, released in December 2023 and December 2024, respectively. If your devices aren’t running those builds—or later—you may be exposed.

SonicWall’s warning comes just two weeks after it confirmed another actively exploited bug from its back catalog: CVE-2021-20035, which CISA added to its Known Exploited Vulnerabilities (KEV) catalog. It’s the latest sign that threat actors are systematically targeting SMA 100 appliances, whether through zero-days or older unpatched flaws.

What stands out here is how attackers are evolving their methods—not just going after unauthenticated bugs, but also combining known vulnerabilities with session hijacking techniques that give them deeper control. It’s a real-world reminder that appliances built to secure remote access are also a prime target themselves.