CISA has added the SonicWall SMA100 OS Command Injection Vulnerability, tracked as CVE-2023-44221, to its Known Exploited Vulnerabilities (KEV) catalog. 

According to CISA’s May 1, 2025 advisory, this vulnerability is actively being exploited in the wild,  posing a substantial risk to organizations relying on SonicWall’s Secure Mobile Access (SMA) appliances.

SonicWall SMA100 Vulnerability – CVE-2023-44221

CVE-2023-44221 affects the SSL-VPN management interface of SonicWall SMA100 series appliances, allowing remote authenticated attackers with administrative privileges to inject arbitrary commands as a ‘nobody’ user. 

The vulnerability is classified under CWE-78 (OS Command Injection), which occurs when a product constructs operating system commands using externally-influenced input without properly neutralizing special elements.

The affected SonicWall products include SMA 200, 210, 400, 410, and 500v firmware versions up to and including 10.2.1.9-57sv. 

According to the National Vulnerability Database, CVE-2023-44221 carries a CVSS base score of 7.2 (High), reflecting its potential impact on the confidentiality, integrity, and availability of affected systems.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA stated in its advisory. 

Security researchers at Arctic Wolf have observed that “even fully patched firewall devices may still become compromised if accounts use poor password hygiene”.

Exploitation Details 

While specific exploitation details remain limited, security firm watchTowr reported on May 1 that their “client base has been feeding rumors about in-the-wild exploited SonicWall SMA n-days (CVE-2023-44221, CVE-2024-38475) for a while”. 

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate identified vulnerabilities by May 22, 2025. 

While this directive only applies to federal agencies, CISA strongly recommends that all organizations prioritize patching of CVE-listed vulnerabilities as part of their vulnerability management practices.

Mitigation

SonicWall has released patches addressing CVE-2023-44221 in version 10.2.1.10-62sv and higher. Security experts recommend organizations implement the following measures:

• Immediately upgrade to the latest SMA100 firmware version
• Enable multi-factor authentication for all accounts, especially administrative ones
• Reset passwords of all local accounts, ensuring strong credentials
• Limit VPN access to only necessary accounts
• Remove or disable unneeded accounts, including default admin accounts
• Configure comprehensive log monitoring for all firewall devices

The KEV Catalog serves as an authoritative source of vulnerabilities with verified in-the-wild exploitation. Created to benefit the cybersecurity community and network defenders, it helps organizations better manage vulnerabilities and keep pace with threat activity.

Organizations are advised to incorporate the KEV catalog into their vulnerability management prioritization frameworks to ensure timely remediation of the most critical threats.