# U.S. CISA Adds SonicWall SMA100 and Apache HTTP Server Flaws to Its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, bringing the total number of known exploited vulnerabilities in the system to 11.
In a recent update, CISA has included flaws related to SonicWall's SMA100 Secure Mobile Access appliances and Apache HTTP Server version 2.4.59 and earlier. The agency has also added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to the catalog.
### SonicWall SMA100 Flaws
SonicWall has revealed that attackers actively exploited two security vulnerabilities in its SMA100 Secure Mobile Access appliances. The first vulnerability, CVE-2023-44221, has a CVSS score of 7.2 and allows an attacker to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.
The second vulnerability, CVE-2024-38475, has a higher CVSS score of 9.8 and is related to improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier. An attacker can exploit this flaw to map URLs to file system locations that are permitted to be served by the server.
SonicWall's advisory notes that SMA100 devices updated with firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described. However, both flaws impact SMA 100 Series devices, including SMA 200, 210, 400, 410, 500v.
### Apache HTTP Server Flaw
The second vulnerability, CVE-2024-38475, also affects Apache HTTP Server version 2.4.59 and earlier. The flaw allows an attacker to map URLs to file system locations that are permitted to be served by the server, potentially enabling session hijacking.
### CISA Action
CISA has issued a binding operational directive (BOD) for federal agencies to address the identified vulnerabilities by May 22, 2025, as part of its efforts to reduce the significant risk of known exploited vulnerabilities. Experts recommend that private organizations review the KEV catalog and address these vulnerabilities in their infrastructure.
### Recommendations
To protect networks against attacks exploiting the flaws, experts recommend the following:
* Review the KEV catalog and identify affected devices. * Apply patches or updates for affected devices as soon as possible. * Implement additional security measures to prevent exploitation of known vulnerabilities. * Conduct regular vulnerability assessments and penetration testing.
By taking proactive steps to address these known exploited vulnerabilities, organizations can reduce their risk of falling victim to cyber attacks.