Attackers have been actively exploiting vulnerabilities in SonicWall SMA100 appliances and Apache HTTP Server, posing significant security risks to organizations relying on these technologies. The vulnerabilities, tracked as CVE-2023-44221 and CVE-2024-38475, have both been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring their critical nature.
CVE-2023-44221, a high-severity flaw with a CVSS score of 7.2, affects the SonicWall SMA100 appliances. This vulnerability arises from improper neutralization of special elements in the SSL-VPN management interface, allowing a remote authenticated attacker with administrative privileges to inject arbitrary commands. This can lead to OS command injection, executed as a 'nobody' user. The flaw has been actively exploited in the wild, with exploitation occurring within 512 days of its disclosure.
Meanwhile, CVE-2024-38475, a critical vulnerability with a CVSS score of 9.1, impacts Apache HTTP Server versions 2.4.59 and earlier. The vulnerability is due to improper escaping of output in the mod_rewrite module, which allows attackers to map URLs to filesystem locations that should not be directly accessible. This can result in code execution or source code disclosure. The flaw has been exploited within 303 days of disclosure, and proof-of-concept exploits are readily available. Notably, this vulnerability has been linked to Iranian IRGC data extortion operations, highlighting its use in targeted attacks.
Both vulnerabilities have been exploited in the wild, prompting urgent action from security teams. Organizations using affected SonicWall and Apache products should prioritize patching and review their systems for signs of compromise. CISA's inclusion of these vulnerabilities in the KEV catalog emphasizes the need for immediate remediation to mitigate potential threats.
CSURFACE