CVE-2023-44221

What is SonicWall SMA100?

SonicWall SMA (Secure Mobile Access) 100 series are SSL VPN and remote access appliances used by small and mid-sized organizations to provide secure remote access to internal networks and applications. SMA100 appliances (SMA 200, 210, 400, 410, 500v) are internet-facing VPN gateways that authenticate remote users and proxy their connections to internal resources. As internet-accessible network infrastructure with administrative management interfaces, SMA100 appliances have been repeatedly targeted by threat actors — with multiple SonicWall SMA100 vulnerabilities appearing in CISA KEV, including CVE-2021-20016, CVE-2021-20028, CVE-2021-20035, and CVE-2023-44221.

Overview

CVE-2023-44221 is a command injection vulnerability in the SonicWall SMA100 SSL-VPN management interface that allows a remote attacker with administrative privileges to inject arbitrary OS commands that execute as the nobody user on the appliance. SonicWall patched it in December 2023. CISA did not add it to KEV until May 2025 — 17 months later — when SonicWall disclosed that CVE-2023-44221 was being actively exploited in the wild, chained with CVE-2021-20035 (a separate SMA100 path traversal vulnerability allowing arbitrary file read) in a combined attack campaign. The PR:H requirement means an attacker must first obtain admin credentials, typically through credential theft, phishing, or exploitation of another vulnerability.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The SMA100 SSL-VPN management interface (the administrative web UI accessible over HTTPS) contains a command injection vulnerability in one or more management functions. An authenticated administrator can supply specially crafted input containing OS command metacharacters that are passed unsanitized to the underlying SonicWall OS shell, executing as the nobody user.

While nobody is an unprivileged user, execution on a VPN appliance even as nobody provides significant capability: access to configuration files, the ability to read VPN session data, and potential for further privilege escalation via secondary vulnerabilities or misconfigurations on the appliance's embedded Linux system.

The practical exploitation scenario involves chaining with CVE-2021-20035 (path traversal / arbitrary file read): attackers first use CVE-2021-20035 to read sensitive configuration files (including admin credentials from the appliance filesystem), then use those stolen credentials to authenticate as admin and exploit CVE-2023-44221 for command injection.

Discovery

The December 2023 patch was routine vendor patching. The active exploitation was identified in 2025 by SonicWall's PSIRT during investigation of customer compromises, leading to the May 2025 advisory and CISA KEV addition.

Exploitation Context

SonicWall's May 2025 disclosure confirmed active exploitation of CVE-2023-44221 chained with CVE-2021-20035. The attack chain is:

1. Exploit CVE-2021-20035 (path traversal) to read SMA100 configuration files without authentication — extracting admin credentials or session tokens stored on the appliance.
2. Use obtained credentials to authenticate as administrator to the management interface.
3. Exploit CVE-2023-44221 to execute OS commands as nobody on the appliance.

This two-step chain converts what would otherwise be a limited-impact admin-only vulnerability into a more dangerous attack accessible to unauthenticated actors who can first exploit the path traversal. The 17-month delay between CVE-2023-44221's patch and its KEV addition reflects that exploitation was only observed and confirmed in 2025.

Remediation

1. Upgrade SMA100 firmware to 10.2.1.2-24sv or later — this patches CVE-2023-44221.
2. Also apply the fix for CVE-2021-20035 if not already done — the two vulnerabilities are chained in active exploitation and both must be patched.
3. Reset all SMA100 admin credentials after patching — if credentials were exposed via CVE-2021-20035 path traversal, they should be treated as compromised.
4. Review SMA100 management logs for unauthorized admin authentication events and unusual management interface activity, particularly from unexpected IP addresses.
5. Restrict management interface access to dedicated management networks — admin access to the SMA100 management UI should never be internet-accessible.
6. Check SMA100 for signs of persistent compromise: unexpected processes, modified configuration files, or web shells on the appliance filesystem.