May 2 Updates:
- On May 1, 2025, CISA updated the Known Exploited Vulnerability (KEV) catalog with both vulnerabilities.
- On May 2, 2025, watchTowr Labs released an in-depth technical report, detailing how the vulnerabilities function and how they can be exploited, along with proof-of-concept (PoC) exploit code. Since these technical details are now available publicly, threat activity leveraging these vulnerabilities is likely to increase.
Original Post:
In a previous security bulletin sent by Arctic Wolf on April 17, 2025, we advised of a credential access campaign targeting SonicWall SMA devices along with remediation guidance. As of April 29, 2025, SonicWall has updated their advisories for several vulnerabilities that are now linked to ongoing exploitation in the threat landscape.
On the advisories for the two relevant vulnerabilities, CVE-2024-38475 and CVE-2023-44221, SonicWall updated the descriptions to indicate that they are potentially being exploited in the wild. For CVE-2023-44221, which allows for OS command injection, valid credentials are required for successful exploitation.
Given that CVE-2023-44221 allows for OS command injection on affected devices, threat actors may utilize it to establish persistence on affected devices and to move laterally within compromised environments.
It is important to note that even fully patched firewall devices may still become compromised if accounts use poor password hygiene. Details surrounding the tactics used in this campaign are limited at this time, but organizations should review the recommendations below for hardening the security of all local accounts on SonicWall SMA devices.
Recommendations
Upgrade to Latest Fixed Version
See the updated advisory for the details provided below:
| Product | Platform | Impacted Versions | Fixed Versions |
| SMA 100 Series |
|
Versions earlier than 10.2.1.14-75sv | 10.2.1.14-75sv and higher versions |
Harden Security of Local Accounts on SonicWall SMA Devices
To protect against the malicious activities observed in this campaign, organizations should apply the following security best practices for firewalls:
- Enable multi-factor authentication for all accounts (especially local accounts).
- Consider resetting passwords of all local accounts on SonicWall SMA firewalls, ensuring that strong passwords are used across the board.
- Limit VPN access to the minimum necessary accounts.
- Remove or disable all unneeded accounts, including default admin accounts.
Configure Log Monitoring for all Firewall Devices
To increase the likelihood of catching malicious activity early, ensure that syslog monitoring is configured for all of your organization’s firewall devices using our provided documentation.
References
Resources
