CVE-2021-20021
published 2021-04-09CVE-2021-20021: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
83.43%
99.6th percentile
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | email_security | < 10.0.9.6103 | 10.0.9.6103 |
| sonicwall | email_security | — | — |
| sonicwall | email_security | — | — |
| sonicwall | email_security_appliance_3300_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_4300_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_5000_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_5050_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_7000_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_7050_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_8300_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_appliance_9000_firmware | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | email_security_virtual_appliance | < 10.0.9.6105 | 10.0.9.6105 |
| sonicwall | hosted_email_security | < 10.0.9.6103 | 10.0.9.6103 |
Detection & IOCsextracted from sources · hover to see the quote
otherApache-Coyote/1.1
bytes
490a00463044022078ebe7edc30e677cb936248af9d65a3a8e1103f09440456f021b91eb8152ae0702207edeaea6e80f010cf74082f5b40d7ea7ebd9ac8ea8aa5af4a81bf1c843eb8cd6:922c64590222798bb761d5b6d8e72950
- →Detect exploitation attempts by matching HTTP responses containing the SonicWall Email Security login page header combined with the Apache-Coyote/1.1 server header — both conditions must be true (AND logic) per the nuclei template condition.
- →Extract the SonicWall Email Security version from the response body using the regex pattern matching a version string in the 'lefthand' CSS class, to identify vulnerable 10.0.9.x instances.
- →CVE-2021-20021 is actively exploited in the wild as part of a three-CVE chain (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023) to achieve privilege escalation on SonicWall Email Security; detections should correlate all three. ↗
- →The exploit involves sending a crafted HTTP request to create an administrative account; monitor for unexpected admin account creation events on SonicWall Email Security hosts. ↗
- ·CVE-2021-20021 affects only SonicWall Email Security version 10.0.9.x; detections and mitigations should be scoped to this specific version range. ↗
- ·The three-CVE exploit chain (CVE-2021-20021 for account creation, CVE-2021-20022 for file upload, CVE-2021-20023 for path traversal) applies to both on-premises and hosted SonicWall Email Security products. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SonicWall Email Security Unrestricted Upload of File Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-20022 [CRITICAL] CWE-434 SonicWall Email Security Unrestricted Upload of File Vulnerability
Vulnerability: SonicWall Email Security Unrestricted Upload of File Vulnerability
Affected: SonicWall SonicWall Email Security
SonicWall Email Security contains an unrestricted upload of file with dangerous type vulnerability that allows a post-authenticated attacker to upload a file to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20023 to achieve privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20022
Remediation Due Date: 2021-11-17
CISA
SonicWall Email Security Path Traversal Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-20023 [CRITICAL] CWE-22 SonicWall Email Security Path Traversal Vulnerability
Vulnerability: SonicWall Email Security Path Traversal Vulnerability
Affected: SonicWall SonicWall Email Security
SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20022 to achieve privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20023
Remediation Due Date: 2021-11-17
CISA
SonicWall Email Security Improper Privilege Management Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-20021 [CRITICAL] CWE-306 SonicWall Email Security Improper Privilege Management Vulnerability
Vulnerability: SonicWall Email Security Improper Privilege Management Vulnerability
Affected: SonicWall SonicWall Email Security
SonicWall Email Security contains an improper privilege management vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20022 and CVE-2021-20023 to achieve privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20021
Remediation Due Date: 2021-11-17
SonicWall
CVE-2021-20021: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP requ
vendor_sonicwall·2021-04-09·CVSS 9.8
CVE-2021-20021 [CRITICAL] CWE-269 CVE-2021-20021: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP requ
CVE-2021-20021: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
GHSA
GHSA-qwrf-wf47-mf5j: A vulnerability in the SonicWall Email Security version 10
ghsa_unreviewed·2022-05-24
CVE-2021-20021 [CRITICAL] CWE-269 GHSA-qwrf-wf47-mf5j: A vulnerability in the SonicWall Email Security version 10
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
VulnCheck
SonicWall Email Security Unrestricted Upload of File Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20022 [CRITICAL] CWE-434 SonicWall Email Security Unrestricted Upload of File Vulnerability
SonicWall Email Security Unrestricted Upload of File Vulnerability
SonicWall Email Security contains an unrestricted upload of file with dangerous type vulnerability that allows a post-authenticated attacker to upload a file to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20023 to achieve privilege escalation.
Affected: SonicWall SonicWall Email Security
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise/; https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to
VulnCheck
SonicWall Email Security Improper Privilege Management Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20021 [CRITICAL] CWE-306 SonicWall Email Security Improper Privilege Management Vulnerability
SonicWall Email Security Improper Privilege Management Vulnerability
SonicWall Email Security contains an improper privilege management vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20022 and CVE-2021-20023 to achieve privilege escalation.
Affected: SonicWall SonicWall Email Security
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise/; https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-ema
VulnCheck
SonicWall Email Security Path Traversal Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20023 [CRITICAL] CWE-22 SonicWall Email Security Path Traversal Vulnerability
SonicWall Email Security Path Traversal Vulnerability
SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20022 to achieve privilege escalation.
Affected: SonicWall SonicWall Email Security
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise/; https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html; https://www.mandiant.com/resourc
Suricata
ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M2
suricata·2025-09-26·CVSS 9.8
CVE-2021-20021 [CRITICAL] ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M2
ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M2"; flow:established,to_server; http.uri; bsize:9; content:"/createou"; fast_pattern; startswith; http.request_body; content:"data|3d|"; http.method; content:"POST"; reference:url,cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise; reference:cve,2021-20021; classtype:web-application-attack; sid:2064935; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_26, cve CVE_2021_20021, deployment Perimeter, deployment Internal, deployment SSLDecry
Suricata
ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M1
suricata·2025-09-26·CVSS 9.8
CVE-2021-20021 [CRITICAL] ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M1
ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M1"; flow:established,to_server; http.uri; content:"/createou|3f|"; fast_pattern; startswith; content:"data|3d|"; http.method; content:"GET"; reference:url,cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise; reference:cve,2021-20021; classtype:web-application-attack; sid:2064934; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_26, cve CVE_2021_20021, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, sign
Nuclei
SonicWall Email Security <= 10.0.9.x - Unauthenticated Admin Account Creation
nuclei·CVSS 9.8
CVE-2021-20021 [CRITICAL] SonicWall Email Security <= 10.0.9.x - Unauthenticated Admin Account Creation
SonicWall Email Security Email Security Login")'
- 'contains(header, "Apache-Coyote/1.1")'
condition: and
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'class="lefthand">([0-9.]+)'
# digest: 490a00463044022078ebe7edc30e677cb936248af9d65a3a8e1103f09440456f021b91eb8152ae0702207edeaea6e80f010cf74082f5b40d7ea7ebd9ac8ea8aa5af4a81bf1c843eb8cd6:922c64590222798bb761d5b6d8e72950
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
26th April – Threat Intelligence Report
blogs_checkpoint·2021-04-26
CVE-2021-20021 26th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The notorious ransomware gang REvil is claiming to have stolen data and schematics from Apple supplier Quanta Computer, and are demanding $50 million to not release the data online. As proof, the hackers have already released data about unreleased MacBook Pros and iMac.
Check Point Harmony Endpoint provides protection agains
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-04-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild