CVE-2023-44221

CVE-2023-44221

Vendor Sonicwall
Product SMA100
Weakness CWE-78
KEV Status Known Exploited
Published December 5, 2023
Last update October 21, 2025

CVSS base score

What the vulnerability does

01Description

Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

December 5, 2023 CVE published
October 21, 2025 Record updated