The SonicWall security story just escalated. We’ve got two critical flaws—CVE-2023-44221 and CVE-2024-38475—now confirmed to be actively exploited in the wild. And the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added them to its Known Exploited Vulnerabilities (KEV) catalog.

What’s different this time is the timing. Just as watchTowr Labs published proof-of-concept exploit code, CISA pushed out its KEV update. That means attackers don’t just have a roadmap—they’ve got working tools.

Here’s what we know:

• Both vulnerabilities affect SMA 100 series appliances, including models 200, 210, 400, 410, and 500v.
• CVE-2024-38475 is a critical Apache HTTP Server flaw that lets attackers bypass authentication and seize admin-level access.
• CVE-2023-44221 allows remote OS command injection once inside, executed with the privileges of the ‘nobody’ user.
• Together, these vulnerabilities can be chained to take full control of unpatched systems.

Patches have been available since December 2023 and December 2024, but if you’re not running version 10.2.1.14-75sv or later, your systems are still exposed.

CISA has set a hard deadline: federal agencies must patch by May 22. Private sector organizations—especially those relying on SMA appliances for remote access—should take this as an urgent wake-up call.

watchTowr’s analysis points out that attackers likely already understand how to chain both flaws for full appliance compromise. They released their detection tools as a “painful reality check”—highlighting that it’s better defenders have visibility than operate in the dark.

SonicWall vulnerabilities have been a recurring target, especially in zero-day attacks, so this situation fits a broader pattern.

If your organization is still assessing its exposure, now is the time to check your SMA version and understand where it fits in the patch lifecycle. Exploits are out. KEV catalog status is confirmed. And adversaries are already knocking.