← back
CVE-2023-44221

CVE-2023-44221

CVSS 7.2 HIGHEPSS 74.9%● KEVCWE-78
In short

The SMA100 SSL-VPN management interface fails to properly filter special characters, allowing an admin user to inject malicious commands that execute with low-level system privileges. This could let an attacker gain unauthorized control over the VPN device.

Technical detail

CWE-78 OS Command Injection vulnerability exists in the SMA100 SSL-VPN management interface due to improper neutralization of special elements in user input. An authenticated administrator can inject arbitrary OS commands that execute in the 'nobody' user context, potentially compromising device integrity and confidentiality.

Summary generated and translated by AI from the official description.
Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
SonicWall · SMA100

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44221