cbcvebase.
CVE-2021-20028
published 2021-08-04

CVE-2021-20028: Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
30.08%
98.0th percentile
Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier

Affected

8 ranges
VendorProductVersion rangeFixed in
sonicwallsma_210_firmware>= 8.0.0.0 < 9.0.0.10-28sv9.0.0.10-28sv
sonicwallsma_410_firmware>= 8.0.0.0 < 9.0.0.10-28sv9.0.0.10-28sv
sonicwallsma_500v_firmware>= 8.0.0.0 < 9.0.0.10-28sv9.0.0.10-28sv
sonicwallsonicwall_sra_sma100
sonicwallsonicwall_sra_sma100
sonicwallsra_1600_firmware>= 8.0.0.0 < 9.0.0.10-28sv9.0.0.10-28sv
sonicwallsra_4600_firmware>= 8.0.0.0 < 9.0.0.10-28sv9.0.0.10-28sv
sonicwallsra_va_firmware>= 8.0.0.0 < 9.0.0.10-28sv9.0.0.10-28sv

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2021-20028 is exploited via SQL injection against SonicWall SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier; monitor HTTP requests to SRA management interfaces for SQL metacharacters and injection patterns
  • CVE-2021-20028 has been observed as an initial access vector (T1190 Exploit Public-Facing Applications) used by LockBit 2.0 affiliates to gain footholds into environments
  • Working exploit code for CVE-2021-20028 was publicly released on a Pastebin-like site via the @fuck_maze Twitter account on Jan. 25, 2022; threat actors actively sought and weaponized this exploit for ransomware operations
  • Ransomware threat actor Boriselcin/Wazawaka was actively soliciting a working exploit for CVE-2021-20028 as early as Sept. 13, 2021, indicating pre-patch interest and likely targeted exploitation of SonicWall SRA devices in ransomware campaigns
  • ·Affected SonicWall SRA products are end-of-life; CISA mandates disconnection rather than patching, as no patch is available for EOL devices
  • ·Vulnerability affects all SRA 8.x firmware versions and 9.0.0.9-26sv or earlier; any SRA appliance running these versions should be considered actively exploitable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.