NEWS

CVE-2024-38475 is a critical vulnerability in the Apache HTTP Server’s mod_rewrite module that permits arbitrary file read operations under specific configurations. This flaw arises from inadequate sanitization of user-controlled input passed to RewriteRule directives, which allows attackers to traverse the filesystem by manipulating server variables and regex capture groups. When vulnerable rewrite logic is in place, remote attackers can exfiltrate sensitive files, such as database credentials, environment variables, or SSH private keys. The vulnerability, stemming from an Apache HTTP Server flaw prior to version 2.4.59, impacts SonicWall Secure Mobile Access (SMA) 100 series appliances running versions earlier than 10.2.1.13-72sv. With a CVSS score of 9.1 (Critical), this vulnerability poses a severe risk to confidentiality, integrity, and availability.

In parallel, CVE-2023-44221 targets a different layer of the system, specifically, SonicWall SMA 100 series appliances and introduces a post-authentication command injection vulnerability within the web-based diagnostic interface. Here, user-supplied input is passed to shell commands invoked by CGI-based functions such as traceroute6 and ping6. Although a sanitization routine is applied to escape a set of special characters, the implementation is flawed: it fails to enforce bounds on the length of escaped output. This oversight allows a stack buffer overflow condition, enabling attackers to overwrite adjacent memory and construct malformed shell commands that bypass intended restrictions. As a result, arbitrary command execution can be achieved under the context of the nobody user. The vulnerability affects SMA 100 versions 10.2.1.9-57sv and earlier and has been assigned a CVSS score of 7.2, reflecting its high severity and exploitation complexity (WatchTowr, 2025).

While these vulnerabilities differ in nature, one enabling unauthenticated file disclosure, the other offering post-authentication code execution, they are increasingly being observed as components of chained exploitation campaigns. CVE-2024-38475 provides attackers with the means to enumerate configuration files, harvest credentials, and uncover backend services, laying the groundwork for authenticated access. From there, CVE-2023-44221 can be leveraged to escalate privileges or pivot deeper into the network through direct shell execution.

Together, these two vulnerabilities form a potent exploitation chain, offering adversaries a pathway from initial access to full compromise of edge infrastructure. This underscores the need for prompt patching, strict input validation in web server configurations, and robust segmentation and monitoring at the network edge.

Vulnerability Type (CWE)

CVE-2024-38475 – CWE-35: Path traversal vulnerability, a class of vulnerability that arises when user-controlled input is improperly validated before being used in file system operations.

CVE-2023-44221 – CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), encompasses flaws where an application incorporates user input into system-level commands without adequately sanitizing or escaping special characters like ;, &, |, or backticks.

CVE-2024-38475 CVSS Score

Base Score: 9.1 (Critical)

Attack Vector: Network (AV:N)

Attack Complexity: Low (AC:L)

Privileges Required: None (PR:N)

User Interaction: None (UI:N)

Scope: Unchanged (S:U)

Impact on CIA: High

• Confidentiality: High (SC:H)
• Integrity: High (SI:H)
• Availability: High (SA:H)

CVE-2023-44221 CVSS Score

Base Score: 7.2(High)

Attack Vector: Network (AV:N)

Attack Complexity: Low (AC:L)

Privileges Required: High ****(PR:H)

User Interaction: None (UI:N)

Scope: Unchanged (S:U)

Impact on CIA: High

• Confidentiality: High (SC:H)
• Integrity: High (SI:H)
• Availability: High (SA:H)

Impacted Versions

SMA 100 Series (SMA 200, 210, 400, 410, 500v)	Impacted versions	Patched versions
(CVE-2024-38475)	10.2.1.13-72sv and earlier versions.	10.2.1.14-75sv and higher versions.
CVE-2023-44221	10.2.1.9-57sv and earlier versions.	10.2.1.10-62sv and higher versions.

Mitigation Steps

1. Firmware Upgrade:
   • Update SonicWall SMA 100 appliances to firmware version 10.2.1.14-75sv or later, which patches both CVE-2023-44221 and CVE-2024-38475.
2. Access Controls:
   • Restrict administrative access via IP allowlists or VPN-only access.
   • Implement role-based access control (RBAC) to ensure that only authorized personnel have access to high-privilege features.
   • Disable public internet exposure of management interfaces whenever possible, and place them behind bastion hosts or within segregated administrative networks.
3. Monitoring and Logging:
   • Deploy real-time monitoring and alerting mechanisms to detect anomalous behaviors such as unusual shell activity, unexpected command execution (e.g., ifconfig, traceroute, or touch in diagnostic logs), or access to sensitive files.
   • Use file integrity monitoring (FIM) and log analysis tools to capture indicators of potential exploitation.
4. Web Server Hardening:
   • Audit mod_rewrite rules in Apache configs.
   • If unused, disable mod_rewrite.
   • Run Apache with least-privilege.
5. Defense in Depth:
   • Deploy a web application firewall (WAF) to block injection and traversal payloads.
   • Use IDS/IPS and network segmentation to limit attack surface.

Exploit Process of CVE-2024-38475 and CVE-2023-44221 on SonicWall SMA Appliances

(Watchtowr, 2025)

1. Target Appliance and Vulnerable Configuration The SonicWall Secure Mobile Access (SMA) appliance, version 10.2.1.7-49sv, ships with an Apache HTTP server using mod_rewrite rules defined in /usr/src/EasyAccess/www/conf/httpd.conf. These rules include: RewriteRule ^/(.+)\\.[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+[A-Za-z0-9]*-[0-9]+.*\\.css$ /$1.css This specific rewrite rule accepts paths matching a regular expression with an IP-like structure followed by a .css extension, and strips everything after the first segment, resolving it relative to the DocumentRoot: DocumentRoot "/usr/src/EasyAccess/www/htdocs"
2. Exploitation Primitives: Filename Confusion + mod_rewrite Orange Tsai previously identified a behavior in Apache’s mod_rewrite where the substitution path is treated like a URL rather than a filesystem path. Using a URL-encoded question mark (%3f), it’s possible to truncate the requested path and bypass expected file resolution logic.
3. Triggering Arbitrary File Read By requesting a URL such as: https://host/tmp/secret.txt%3f.1.1.1.1a-1.css Apache’s mod_rewrite will:
   • Match the .css rewrite rule.
   • Truncate the suffix due to the %3f URL-encoded character.
   • Resolve /tmp/secret.txt directly, bypassing the document root restrictions.
   The server responds with the contents of the targeted file, assuming it is readable by the nobody user (the user under which the webserver runs).
4. Practical File Read: Apache Logs To verify file read capability, a request is made to retrieve the Apache access log: GET /mnt/ram/var/log/httpd.log%3f.1.1.1.1a-1.css HTTP/1.1 Returns HTTP/1.1 200 OK with log content, demonstrating successful arbitrary file access.
5. Privilege Escalation via Session Hijacking One particularly valuable file, /tmp/temp.db, is a SQLite database storing active admin session details, including CSRF tokens and session cookies. Attempting to download the file via: curl <https://host/tmp/temp.db%3f.1.1.1.1a-1.css> -o temp.db Sometimes returns an empty DB, likely due to the file being locked or actively written. However, using HTTP Range headers, the attacker can reliably download the file byte-by-byte: GET /tmp/temp.db%3f.1.1.1.1a-1.css HTTP/1.1 Range: bytes=7875-8000 This enables full offline reconstruction of the SQLite database and exfiltration of admin session tokens, effectively granting privileged access without authentication.
6. Post-Auth RCE via CVE-2023-44221 With administrative access achieved, the attacker can now exploit CVE-2023-44221, a post-auth command injection vulnerability in the traceroute6_handler function accessible via: POST /spog/diagnostics Initial attempts to inject commands via: tool=TRACEROUTE6_CMD&target=";touch+/tmp/malicious-payload;" fail due to the use of a sanitization function, shellScriptEncode(), which escapes key shell metacharacters like ", $, “`, and \\.
7. Bypassing shellScriptEncode() via Buffer Overflow The shellScriptEncode() function blindly escapes input and writes to a fixed-size buffer (escaped_cmd[256]) adjacent to another buffer (command[512]). There is no length check, so overlong input causes a stack buffer overflow, corrupting the command construction logic. Example: Input: target="""""... (hundreds of quotes) Output (escaped): \\"\\"\\"\\"\\"... (resulting in >256 bytes) This corrupts the adjacent command buffer, removing the null terminator and allowing sprintf to concatenate data from both buffers, effectively constructing an unintended shell command. The malformed command is then executed via popen().
8. Achieving Remote Code Execution Through this overflow-induced command manipulation, attackers can inject arbitrary commands. For instance: touch /tmp/malicious-payload is executed on the appliance, proving arbitrary command execution with the privileges of the nobody user.

Timeline

• December 4, 2023 – SonicWall releases patch for CVE-2023-44221 in version 2.1.10-62sv and later.
• December 4, 2024 – SonicWall issues fix for CVE-2024-38475 in version 2.1.14-75sv and later.
• April 29, 2025 – SonicWall confirms both vulnerabilities are potentially being exploited in the wild; urges customers to verify for unauthorized access and update devices.

IOCs

• URL Access Patterns
  • Requests with URL-encoded special characters (e.g., %3f) targeting sensitive paths
  • Suspicious .css file suffixes used to obfuscate malicious requests
  • Unusual access attempts to local file paths like /etc/passwd, /tmp/*.db, /mnt/ram/*
• Suspicious HTTP Headers
  • Valid-looking CSRF tokens in conjunction with malformed or obfuscated parameters
  • Consistent use of session cookies in malicious POST requests
• File Access Behavior
  • Byte-range read attempts on log or database files
  • Unauthorized or repeated access to system files not normally exposed via HTTP
• Command Injection Signatures
  • POST requests to diagnostic or tool endpoints with shell metacharacters (;, |, &&)
  • Parameters attempting to execute system commands (e.g., using touch, wget, or curl)
• Artifact Creation
  • Unexpected files appearing in writable directories like /tmp/, suggesting attacker presence or tooling execution
• Log Artifacts
  • Repeated HTTP 404/403 errors tied to malformed .css or encoded requests
  • Anomalous patterns in web server logs, especially tied to internal path traversal or probing

The combined exploitation of CVE-2024-38475 and CVE-2023-44221 in SonicWall SMA 100 devices presents a potent attack vector with serious implications for enterprise environments. CVE-2024-38475, a critical path traversal flaw in Apache HTTP Server, can be exploited remotely without authentication to gain unauthorized access to sensitive files and configurations. In practice, attackers often leverage this exposure to escalate privileges or retrieve credentials, enabling them to pivot toward more intrusive attacks.

Once privileged access is obtained, CVE-2023-44221 becomes particularly dangerous. This post-authentication OS command injection vulnerability allows an attacker with administrative rights to execute arbitrary system commands as the nobody user. When chained, the two flaws can lead to full system compromise, enabling persistent access, lateral movement, and the deployment of additional payloads (SonicWall, 2025).

Given the severity of this exploit chain, immediate remediation is critical. Organizations should apply the latest firmware updates, restrict administrative access, and implement strict input validation across all management interfaces. Enhanced monitoring and anomaly detection should be prioritized to identify potential abuse of these vulnerabilities in the wild.

Centripetal’s Perspective

Centripetal’s CleanINTERNET® service provides a proactive, intelligence-driven defense against vulnerabilities like CVE-2024-38475 and CVE-2023-44221, which allow remote attackers to traverse file paths and execute arbitrary commands on SonicWall SMA 100 appliances. By exploiting these flaws in tandem, adversaries can escalate privileges and gain persistent control over targeted environments. Leveraging billions of threat indicators, CleanINTERNET dynamically blocks malicious traffic using real-time global threat feeds and augmented human analysis, proactively protecting organizations from exploitation attempts involving known IoCs. This approach ensures reduced attack surface, enhanced security operations, and uninterrupted business continuity, enabling organizations to adopt a proactive and adaptive cybersecurity strategy against evolving threats.

If you are a current client of SonicWall SMA 100 please contact support@centripetal.ai.

Centripetal is also pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Resources

• Sonicwall Vulnerability List – SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities
• Sonicwall Vulnerability List – SonicWall SSL-VPN SMA100 Version 10.x Is Affected By Multiple Vulnerabilities
• Watchtowr – SonicBoom, From Stolen Tokens to Remote Shells – SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
• TheHackerNews – SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
• CVE-2023-44221
• CVE-2024-38475