Executive Summary

Updated May 7^th, 2025: We have updated this article to mention three new SonicWall SMA vulnerabilities reported by Rapid7 that can also achieve remote code execution, if used in combination with the CVE-2024-38475 vulnerability detailed by watchTowr. Please see the section titled “Update – May 7^th 2025” for details.

On May 1^st, watchTowr Labs published an article detailing new information on two previously reported critical vulnerabilities in SonicWall SMA: CVE-2024-38475 and CVE-2023-44221. These vulnerabilities are an arbitrary file read and a command injection, and successful combined exploitation of them would grant a threat actor remote code execution (RCE) on a target device. Both vulnerabilities were added to the CISA KEV on the same day, and Beazley Security is aware of active “In the Wild” exploitation of these vulnerabilities.

SonicWall SMA (Secure Mobile Access) is a network access gateway appliance for mobile device access. It is typically deployed as an edge device, and successful compromise by a threat actor would provide them initial access into an organization’s network. These vulnerabilities were previously identified and addressed by SonicWall in SNWLID-2024-0018 and SNWLID-2023-0018, but the new information provided by watchTowr and CISA have prompted SonicWall to update both advisories to indicate the increased risk and severity.

Software security patches have already been provided by SonicWall, and watchTowr provided enough detailed technical analysis for proficient readers to develop their own weaponized exploits. As a result, Beazley Security expects increased scanning and exploit attempts from less sophisticated threat actors (in addition to the current in the wild exploitation). Affected organizations should apply updates immediately.

Affected Systems or Products

Updated May 7^th, 2025 to include affected and fixed versions for SNWLID-2025-0011.

Mitigations / Workarounds

There are unfortunately no mitigations available for these vulnerabilities. However, Sonicwall has provided stable patches for both vulnerabilities through normal update channels.

Patches

SonicWall SMA 10.2.1.14-75sv and later versions address both issues. Instructions for updating device firmware has been provided by the vendor here.

Updated May 7^th, 2025: SonicWall SMA 10.2.1.15-81sv and later fix all issues listed in this advisory to date.

Technical Details

As previously mentioned, the watchTowr article describes how two vulnerabilities can be used in combination to achieve RCE. WatchTowr has done an excellent job describing the technical details regarding these and their article deserves a read through. We will provide a condensed version of their findings here.

CVE-2024-38475

This vulnerability is in the Apache HTTP Server component used in SonicOS devices. It was reported by a researcher named Orange Tsai who published their findings on this and other related Apache vulnerabilities in an excellent blog post found here.

The components and details of this vulnerability are somewhat complex, especially in the context of how it can be used to attack SonicWall devices. We will attempt to describe it by reviewing the attack example provided by watchTowr.

Figure 1: CVE-2024-38475 proof-of-concept

First for context, Apache has a component called mod_rewrite that will, among many other things, take requested URLs and translate them into other objects for further processing. It does this via administrator defined rules, and the rule present on SonicWall devices that presents the bug is:

RewriteRule ^/(.+)\\.[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+[A-Za-z0-9]*-[0-9]+.*\\.css$/$1.css

Although it appears complex and convoluted, essentially Apache will interpret the “.1.1.1.1a-1.css” segment of the attack URL (denoted in green in Figure 1), convert it into a file path, and attempt to access that file.

This is where the first major component of the bug comes into play. For security reasons, when Apache retrieves files to serve webpage content, it is constrained by a configuration setting called “DocumentRoot”. On SonicWall appliances, “DocumentRoot” is the following path: “/usr/src/EasyAccess/www/htdocs”. Orange Tsai found that if the translated URL string appears at the beginning of the rewritten file path, mod_rewrite searches for two file paths.

In this particular case, because the SonicWall RewriteRule translates the URL to /$1.css, instead of only searching for:

/usr/src/EasyAccess/www/htdocs/tmp/temp.db%3f.1.1.1.1a-1.css

It will also try to search for:

/tmp/temp.db%3f.1.1.1.1a-1.css

Unfortunately, Apache mod_rewrite will attempt to retrieve the latter file first. This is where the second major component of the vulnerability emerges. URLs and Unix file paths have different string encoding rules, and the issue arises because Apache applies URL encoding logic to this resulting file path. This means that in the proof-of-concept in Figure 1, the string in red “%3f” will be translated to “?”, which in a URL is intended to denote that any additional data should be treated as program parameters. Thus, the green section of the URL / file path will be truncated, and Apache will search for and serve the contents of the following file path:

/tmp/temp.db

In this exploitation scenario, this enables an attack to retrieve the session database from the SonicWall SMA appliance. Given the database stores session information, this enables threat actors to hijack a session and login as a legitimate user.

CVE-2023-44221

The second vulnerability is a conventional command injection flaw. WatchTowr seems to have conducted patch analysis and determined that security checks had been implemented in system code that invokes network diagnostic tools.

SonicWall appliances have POST API endpoints that will execute system binaries to perform system and network diagnostic functions, and the vulnerable endpoints allow arbitrary parameters to be passed. The code for traceroute6 lacked proper string length validations for its parameters, exposing the calls to potential buffer overflow vulnerabilities. Additionally, the buffers that store the unchecked parameters are allocated next to each other, which simplifies the exploitation process for an attacker by avoiding the common memory corruption complications associated with attempts to exploit buffer overflows.

A proof-of-concept exploit for this vulnerability is provided below:

POST /spog/diagnostics HTTP/1.1

Host: host

Cookie: swap="aaaaaaaa="; swcctn=bbbbbbbbbb

User-Agent: Mozilla/5.0

X-Csrf-Token: bbbbbbbbbb

Priority: u=0

Te: trailers

Connection: keep-alive

tool=TRACEROUTE6_CMD&target=";<payload>; <140 “’s>"

The diagnostics API endpoint requires that a user be authenticated to the device as an administrator. In the sequence of actions demonstrated by the watchTowr researchers, CVE-2024-38475 is first utilized to hijack an existing administrative session. Subsequently, CVE-2023-44221 is employed to exploit the device further, leading to Remote Code Execution.

Update – May 7^th, 2025

A few days after watchTowr reported their findings, Rapid7 released an article detailing three new vulnerabilities in SonicWall SMA (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821). These can be used in combination to achieve remote code execution, however a threat actor would need a valid login account to a target SonicWall SMA appliance. CVE-2024-38475 as described earlier in this advisory provides an authentication bypass and can be chained together with the three new vulnerabilities reported by Rapid7 providing an alternative exploit chain that also achieves remote code execution.

Figure 2: Possible Kill Chains

The first vulnerability (CVE-2025-32819) in this new attack chain is a directory traversal vulnerability in a file delete function that was first discovered in 2021 by NCC group. They showed that the file delete function will (under the hood) concatenate a user-controlled web parameter directly onto a file path. SonicWall implemented a fix at that time that only added an authentication check before the file delete function. The directory traversal vulnerability was still present, so non-root users could still delete any file on the system. If an attacker deletes /etc/EasyAccess/var/conf/persist.db, the system will reboot and reset the administrator password to the default value of “password”. Both NCC Group and Rapid7 shared similar proof-of-concept POST traffic that triggers this vulnerability. A condensed, generalized version is presented below:

POST /fileshare/sonicfiles/?User=<existing account>&Pass=<password>&Down=&RacNumber=44&Arg1=smb://<internal IP>/test/&Arg2=null&swcctn=../usr/src/EasyAccess/www/python/authentication&timestamp=api/../../../../../../<target file> HTTP/1.1

The second vulnerability (CVE-2025-32820) in this new attack chain is another path traversal in a file mode change function that allows an attacker to make an arbitrary file world-writable. The root cause is similar to CVE-2025-32819, in that user-contolled API POST data is not sanitized before being incorporated into a “chmod 777” command. A condensed, generalized version of a POST request that triggers this vulnerability is presented below:

POST /__api__/v1/client/nxpostconnectionscript/file HTTP/1.1

<snip>

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIpPybfdplJ1hIwzq

<snip>

------WebKitFormBoundaryIpPybfdplJ1hIwzq

Content-Disposition: form-data; name="upfile"; filename="../../../../../../../../../bin/"

01

------WebKitFormBoundaryIpPybfdplJ1hIwzq—

The third vulnerability (CVE-2025-32821) in this new attack chain is another directory traversal in an image icon upload function that can be abused to allow an attacker to upload an arbitrary file. In addition to this vulnerability, Rapid7 found that automated jobs on a SonicWall SMA appliance will attempt to execute this file, even though it does not exist by default: /bin/lsb_release. If an attacker uses CVE-2025-32821 to write a backdoor to this filepath, it will get automatically executed as root. A condensed, generalized version of a POST request that triggers this vulnerability is presented below:

POST /cgi-bin/importlogo HTTP/1.1

<snip>

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXOj6BtGNhEubdWvN

<snip>

------WebKitFormBoundaryXOj6BtGNhEubdWvN

Content-Disposition: form-data; name="portalName"

../../../../../../usr/src/EasyAccess/www/htdocs/test.txt #

------WebKitFormBoundaryXOj6BtGNhEubdWvN

Content-Disposition: form-data; name="defaultFavicon"

0

------WebKitFormBoundaryXOj6BtGNhEubdWvN

Content-Disposition: form-data; name="updateFavicon"

1

------WebKitFormBoundaryXOj6BtGNhEubdWvN

Content-Disposition: form-data; name="favicon1"; filename="TESTING.gif"

Content-Type: image/gif

CONTENT

------WebKitFormBoundaryXOj6BtGNhEubdWvN—

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

• 

  SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)

• 

  CISA Adds Two Known Exploited Vulnerabilities to Catalog

• 

  SNWLID-2024-0018

• 

  SNWLID-2023-0018

• 

  SNWLID-2025-0011

• 

  Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)

• 

  Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion