cbcvebase.
CVE-2021-20021
published 2021-04-09

CVE-2021-20021: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
83.43%
99.6th percentile
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

Affected

13 ranges
VendorProductVersion rangeFixed in
sonicwallemail_security< 10.0.9.610310.0.9.6103
sonicwallemail_security
sonicwallemail_security
sonicwallemail_security_appliance_3300_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_4300_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_5000_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_5050_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_7000_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_7050_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_8300_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_9000_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_virtual_appliance< 10.0.9.610510.0.9.6105
sonicwallhosted_email_security< 10.0.9.610310.0.9.6103

Detection & IOCsextracted from sources · hover to see the quote

otherApache-Coyote/1.1
bytes
490a00463044022078ebe7edc30e677cb936248af9d65a3a8e1103f09440456f021b91eb8152ae0702207edeaea6e80f010cf74082f5b40d7ea7ebd9ac8ea8aa5af4a81bf1c843eb8cd6:922c64590222798bb761d5b6d8e72950
  • Detect exploitation attempts by matching HTTP responses containing the SonicWall Email Security login page header combined with the Apache-Coyote/1.1 server header — both conditions must be true (AND logic) per the nuclei template condition.
  • Extract the SonicWall Email Security version from the response body using the regex pattern matching a version string in the 'lefthand' CSS class, to identify vulnerable 10.0.9.x instances.
  • CVE-2021-20021 is actively exploited in the wild as part of a three-CVE chain (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023) to achieve privilege escalation on SonicWall Email Security; detections should correlate all three.
  • The exploit involves sending a crafted HTTP request to create an administrative account; monitor for unexpected admin account creation events on SonicWall Email Security hosts.
  • ·CVE-2021-20021 affects only SonicWall Email Security version 10.0.9.x; detections and mitigations should be scoped to this specific version range.
  • ·The three-CVE exploit chain (CVE-2021-20021 for account creation, CVE-2021-20022 for file upload, CVE-2021-20023 for path traversal) applies to both on-premises and hosted SonicWall Email Security products.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.