Arctic Wolf Security Bulletin
Arctic Wolf Security Bulletin
Back to blog

Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities

As of 29 April 2025, SonicWall has updated their advisories for several vulnerabilities that are now linked to ongoing exploitation in the threat landscape. 
Arctic Wolf Security Bulletin
6 min read

In a previous security bulletin sent by Arctic Wolf on 17 April 2025, we advised of a credential access campaign targeting SonicWall SMA devices along with remediation guidance. As of 29 April 2025, SonicWall has updated their advisories for several vulnerabilities that are now linked to ongoing exploitation in the threat landscape. 

On the advisories for the two relevant vulnerabilities, CVE-2024-38475 and CVE-2023-44221, SonicWall updated the descriptions to indicate that they are potentially being exploited in the wild. For CVE-2023-44221, which allows for OS command injection, valid credentials are required for successful exploitation. 

Given that CVE-2023-44221 allows for OS command injection on affected devices, threat actors may utilise it to establish persistence on affected devices and to move laterally within compromised environments. 

It is important to note that even fully patched firewall devices may still become compromised if accounts use poor password hygiene. Details surrounding the tactics used in this campaign are limited at this time, but organisations should review the recommendations below for hardening the security of all local accounts on SonicWall SMA devices. 

Recommendations

Upgrade to Latest Fixed Version

See the updated advisory for the details provided below: 

Product  Platform  Impacted Versions  Fixed Versions 
SMA 100 Series 
  • SMA 200 
  • SMA 210 
  • SMA 400 
  • SMA 410 
  • SMA 500v (ESX, KVM, AWS, Azure) 
 Versions earlier than 10.2.1.14-75sv  10.2.1.14-75sv and higher versions 

Harden Security of Local Accounts on SonicWall SMA Devices

To protect against the malicious activities observed in this campaign, organisations should apply the following security best practices for firewalls: 

  • Enable multi-factor authentication for all accounts (especially local accounts). 
  • Consider resetting passwords of all local accounts on SonicWall SMA firewalls, ensuring that strong passwords are used across the board. 
  • Limit VPN access to the minimum necessary accounts. 
  • Remove or disable all unneeded accounts, including default admin accounts. 

Configure Log Monitoring for all Firewall Devices

To increase the likelihood of catching malicious activity early, ensure that syslog monitoring is configured for all of your organisation’s firewall devices using our provided documentation. 

References

Resources

Understand the threat landscape, and how to better defend your organisation, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster

Popular Topics
View all posts
Share this post:

What to read next

Back to Blog
Arctic Wolf Blog Featured Image
4 min read

CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center

April 24, 2025

View Post
Arctic Wolf Blog Featured Image
8 min read

Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035

April 17, 2025

View Post
Arctic Wolf Blog Featured Image
12 min read

Microsoft Patch Tuesday: April 2025

April 9, 2025

View Post
Arctic Wolf Blog Featured Image
4 min read

CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation

April 4, 2025

View Post