CVE-2021-20023
published 2021-04-20CVE-2021-20023: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
PriorityP182medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
51.41%
98.8th percentile
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | email_security | < 10.0.9.6173 | 10.0.9.6173 |
| sonicwall | email_security | — | — |
| sonicwall | email_security | — | — |
| sonicwall | email_security_appliance_3300_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_4300_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_5000_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_5050_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_7000_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_7050_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_8300_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_appliance_9000_firmware | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | email_security_virtual_appliance | < 10.0.9.6177 | 10.0.9.6177 |
| sonicwall | hosted_email_security | < 10.0.9.6173 | 10.0.9.6173 |
Detection & IOCsextracted from sources · hover to see the quote
url/dload_apps?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall Email Security Authenticated Directory Traversal in Branding Feature (CVE-2021-20023)"; flow:established,to_server; http.uri; content:"/dload_apps|3f|"; fast_pattern; startswith; content:"action|3d|"; content:"path|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise; reference:cve,2021-20023; classtype:web-application-attack; sid:2064936; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_26, cve CVE_2021_20023, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit requests target the URI path beginning with /dload_apps? and include both 'action=' and 'path=' parameters; the path parameter contains directory traversal sequences (e.g., ../ or URL-encoded equivalents %2e%2e%2f, %2e%2e%5c, %2e%2e%2f) repeated at least twice.
- →CVE-2021-20023 is used in a chained exploit alongside CVE-2021-20021 (admin account creation via crafted HTTP request) and CVE-2021-20022 (unrestricted file upload) to achieve full privilege escalation; monitor for all three CVEs in combination.
- →The vulnerability is a path traversal (directory traversal) in the Branding Feature of SonicWall Email Security, exploitable only by a post-authenticated attacker to read arbitrary files on the remote host.
- →The Snort/Suricata rule (ET sid:2064936) should be deployed at the perimeter, internally, and on SSL-decrypting sensors (TLSDecrypt/SSLDecrypt) to catch this attack over HTTPS.
- ·The vulnerability only affects SonicWall Email Security version 10.0.9.x; scope detection rules accordingly.
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SonicWall Email Security Unrestricted Upload of File Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-20022 [CRITICAL] CWE-434 SonicWall Email Security Unrestricted Upload of File Vulnerability
Vulnerability: SonicWall Email Security Unrestricted Upload of File Vulnerability
Affected: SonicWall SonicWall Email Security
SonicWall Email Security contains an unrestricted upload of file with dangerous type vulnerability that allows a post-authenticated attacker to upload a file to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20023 to achieve privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20022
Remediation Due Date: 2021-11-17
CISA
SonicWall Email Security Path Traversal Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-20023 [CRITICAL] CWE-22 SonicWall Email Security Path Traversal Vulnerability
Vulnerability: SonicWall Email Security Path Traversal Vulnerability
Affected: SonicWall SonicWall Email Security
SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20022 to achieve privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20023
Remediation Due Date: 2021-11-17
CISA
SonicWall Email Security Improper Privilege Management Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-20021 [CRITICAL] CWE-306 SonicWall Email Security Improper Privilege Management Vulnerability
Vulnerability: SonicWall Email Security Improper Privilege Management Vulnerability
Affected: SonicWall SonicWall Email Security
SonicWall Email Security contains an improper privilege management vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20022 and CVE-2021-20023 to achieve privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20021
Remediation Due Date: 2021-11-17
SonicWall
CVE-2021-20023: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote h
vendor_sonicwall·2021-04-20·CVSS 4.9
CVE-2021-20023 [MEDIUM] CWE-22 CVE-2021-20023: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote h
CVE-2021-20023: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
GHSA
GHSA-86qp-448h-m269: SonicWall Email Security version 10
ghsa_unreviewed·2022-05-24
CVE-2021-20023 [MEDIUM] CWE-22 GHSA-86qp-448h-m269: SonicWall Email Security version 10
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
VulnCheck
SonicWall Email Security Unrestricted Upload of File Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20022 [CRITICAL] CWE-434 SonicWall Email Security Unrestricted Upload of File Vulnerability
SonicWall Email Security Unrestricted Upload of File Vulnerability
SonicWall Email Security contains an unrestricted upload of file with dangerous type vulnerability that allows a post-authenticated attacker to upload a file to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20023 to achieve privilege escalation.
Affected: SonicWall SonicWall Email Security
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise/; https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to
VulnCheck
SonicWall Email Security Improper Privilege Management Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20021 [CRITICAL] CWE-306 SonicWall Email Security Improper Privilege Management Vulnerability
SonicWall Email Security Improper Privilege Management Vulnerability
SonicWall Email Security contains an improper privilege management vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20022 and CVE-2021-20023 to achieve privilege escalation.
Affected: SonicWall SonicWall Email Security
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise/; https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-ema
VulnCheck
SonicWall Email Security Path Traversal Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20023 [CRITICAL] CWE-22 SonicWall Email Security Path Traversal Vulnerability
SonicWall Email Security Path Traversal Vulnerability
SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20022 to achieve privilege escalation.
Affected: SonicWall SonicWall Email Security
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise/; https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html; https://www.mandiant.com/resourc
Suricata
ET WEB_SPECIFIC_APPS SonicWall Email Security Authenticated Directory Traversal in Branding Feature (CVE-2021-20023)
suricata·2025-09-26·CVSS 4.9
CVE-2021-20023 [MEDIUM] ET WEB_SPECIFIC_APPS SonicWall Email Security Authenticated Directory Traversal in Branding Feature (CVE-2021-20023)
ET WEB_SPECIFIC_APPS SonicWall Email Security Authenticated Directory Traversal in Branding Feature (CVE-2021-20023)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall Email Security Authenticated Directory Traversal in Branding Feature (CVE-2021-20023)"; flow:established,to_server; http.uri; content:"/dload_apps|3f|"; fast_pattern; startswith; content:"action|3d|"; content:"path|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise; reference:cve,2021-20023; classtype:web-application-attack; sid:2064936; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at
No public exploits indexed.
2021-04-20
Published
2021-11-03
Added to CISA KEV
Exploited in the wild