cbcvebase.
CVE-2021-20022
published 2021-04-09

CVE-2021-20022: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.

PriorityP184high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
16.51%
96.6th percentile
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.

Affected

13 ranges
VendorProductVersion rangeFixed in
sonicwallemail_security< 10.0.9.610310.0.9.6103
sonicwallemail_security
sonicwallemail_security
sonicwallemail_security_appliance_3300_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_4300_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_5000_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_5050_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_7000_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_7050_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_8300_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_appliance_9000_firmware< 10.0.9.610510.0.9.6105
sonicwallemail_security_virtual_appliance< 10.0.9.610510.0.9.6105
sonicwallhosted_email_security< 10.0.9.610310.0.9.6103

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2021-20022 is exploited as part of a three-CVE chain (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023) against SonicWall Email Security to achieve privilege escalation; detect chained exploitation attempts targeting this product.
  • The vulnerability allows a post-authenticated attacker to upload an arbitrary file to the remote host on SonicWall Email Security version 10.0.9.x; monitor for unexpected file uploads by authenticated sessions on this product.
  • CVE-2021-20021 (used in the same exploit chain) involves sending a crafted HTTP request to create an administrative account; monitor SonicWall Email Security for unauthorized admin account creation via anomalous HTTP requests.
  • CVE-2021-20023 (used in the same exploit chain) is a path traversal allowing a post-authenticated attacker to read files on the remote host; monitor for path traversal patterns in requests to SonicWall Email Security.
  • ·The vulnerability specifically affects SonicWall Email Security version 10.0.9.x only; detections should be scoped to this version range.
  • ·Exploitation requires prior authentication (post-authenticated); unauthenticated access alone is insufficient to trigger CVE-2021-20022, but CVE-2021-20021 in the chain can be used to first create an admin account without credentials.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.