CVE-2021-20028
published 2021-08-04CVE-2021-20028: Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
30.08%
98.0th percentile
Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_210_firmware | >= 8.0.0.0 < 9.0.0.10-28sv | 9.0.0.10-28sv |
| sonicwall | sma_410_firmware | >= 8.0.0.0 < 9.0.0.10-28sv | 9.0.0.10-28sv |
| sonicwall | sma_500v_firmware | >= 8.0.0.0 < 9.0.0.10-28sv | 9.0.0.10-28sv |
| sonicwall | sonicwall_sra_sma100 | — | — |
| sonicwall | sonicwall_sra_sma100 | — | — |
| sonicwall | sra_1600_firmware | >= 8.0.0.0 < 9.0.0.10-28sv | 9.0.0.10-28sv |
| sonicwall | sra_4600_firmware | >= 8.0.0.0 < 9.0.0.10-28sv | 9.0.0.10-28sv |
| sonicwall | sra_va_firmware | >= 8.0.0.0 < 9.0.0.10-28sv | 9.0.0.10-28sv |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-20028 is exploited via SQL injection against SonicWall SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier; monitor HTTP requests to SRA management interfaces for SQL metacharacters and injection patterns ↗
- →CVE-2021-20028 has been observed as an initial access vector (T1190 Exploit Public-Facing Applications) used by LockBit 2.0 affiliates to gain footholds into environments ↗
- →Working exploit code for CVE-2021-20028 was publicly released on a Pastebin-like site via the @fuck_maze Twitter account on Jan. 25, 2022; threat actors actively sought and weaponized this exploit for ransomware operations ↗
- →Ransomware threat actor Boriselcin/Wazawaka was actively soliciting a working exploit for CVE-2021-20028 as early as Sept. 13, 2021, indicating pre-patch interest and likely targeted exploitation of SonicWall SRA devices in ransomware campaigns ↗
- ·Affected SonicWall SRA products are end-of-life; CISA mandates disconnection rather than patching, as no patch is available for EOL devices ↗
- ·Vulnerability affects all SRA 8.x firmware versions and 9.0.0.9-26sv or earlier; any SRA appliance running these versions should be considered actively exploitable ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2gf8-x72h-g57r: ** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Ac
ghsa_unreviewed·2022-05-24
CVE-2021-20028 [CRITICAL] CWE-89 GHSA-2gf8-x72h-g57r: ** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Ac
** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier.
VulnCheck
SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20028 [CRITICAL] CWE-89 SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
SonicWall Secure Remote Access (SRA) products contain an improper neutralization of a SQL Command leading to SQL injection.
Affected: SonicWall Secure Remote Access (SRA)
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; https://blog.compass-security.com/2022/03/vpn-appliance-forensics/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf; https://www.group-ib.com/resources/research-hub/hi-tech-crime
CISA
SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
cisa·2022-03-28·CVSS 9.8
CVE-2021-20028 [CRITICAL] CWE-89 SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
Vulnerability: SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
Affected: SonicWall Secure Remote Access (SRA)
SonicWall Secure Remote Access (SRA) products contain an improper neutralization of a SQL Command leading to SQL injection.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20028
Remediation Due Date: 2022-04-18
No detection rules found.
No public exploits indexed.
Greynoiseio
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
blogs_greynoiseio·2026-02-27
Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
blogs_qualys·2025-05-08
Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
## Table of Contents
Who is LockBit? How it Evolved and Operates
Monero: The Coin of the Realm
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Beyond Traditional Endpoints: Other Compromised Systems
Initial Access and Deployment
Conclusion
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage
Unit42
LockBit 2.0: How This RaaS Operates and How to Protect Against It
blogs_unit42·2022-06-09
LockBit 2.0: How This RaaS Operates and How to Protect Against It
Threat Research Center
High Profile Threats
Ransomware
## LockBit 2.0: How This RaaS Operates and How to Protect Against It
Amer Elsad
JR Gumarin
Abigail Barr
Published: June 9, 2022
High Profile Threats
Ransomware
Threat Research
Flighty Scorpius
LockBit 2.0
RaaS
## Executive Summary
LockBit 2.0 is ransomware as a service (RaaS) that first emerged in June 2021 as an upgrade to its predecessor LockBit (aka ABCD Ransomware), which was first observed in September 2019.
Since its inception, the LockBit 2.0 RaaS attracted affiliates via recruitment campaigns in underground forums, and thus became particularly prolific during the third quarter of calendar year 2021. The LockBit 2.0 operators claimed to have the fastest encryption software of any active ransomware strain as o
Unit42
LockBit 2.0: How This RaaS Operates and How to Protect Against It
blogs_unit42·2022-06-09
LockBit 2.0: How This RaaS Operates and How to Protect Against It
## Executive Summary
LockBit 2.0 is ransomware as a service (RaaS) that first emerged in June 2021 as an upgrade to its predecessor LockBit (aka ABCD Ransomware), which was first observed in September 2019.
Since its inception, the LockBit 2.0 RaaS attracted affiliates via recruitment campaigns in underground forums, and thus became particularly prolific during the third quarter of calendar year 2021. The LockBit 2.0 operators claimed to have the fastest encryption software of any active ransomware strain as of June 2021, claiming accordingly that this added to its effectiveness and ability to disrupt the ransomware landscape.
While several top-tier RaaS affiliate programs, such as Babuk, DarkSide and REvil (aka Sodinokibi) disappeared from the underground in 2021, LockBit 2.0 continued
Krebs
Wazawaka Goes Waka Waka
blogs_krebs·2022-02-14
Wazawaka Goes Waka Waka
In January, KrebsOnSecurity examined clues left behind by “ Wazawaka ,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists.
Wazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger.
In last month’s story , we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev . This post concerns itself with the other half of W
Krebs
Wazawaka Goes Waka Waka
blogs_krebs·2022-02-14
Wazawaka Goes Waka Waka
In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists.
In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate p
2021-08-04
Published
2022-03-28
Added to CISA KEV
Exploited in the wild