cbcvebase.
CVE-2021-20034
published 2021-09-27

CVE-2021-20034: An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file…

PriorityP183critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
80.70%
99.6th percentile
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.

Affected

18 ranges
VendorProductVersion rangeFixed in
sonicwallsma100
sonicwallsma100
sonicwallsma100
sonicwallsma_200_firmware<= 9.0.0.10-28sv
sonicwallsma_200_firmware10.2.0.0 – 10.2.0.7-34sv
sonicwallsma_200_firmware10.2.1.0 – 10.2.1.0-17sv
sonicwallsma_210_firmware<= 9.0.0.10-28sv
sonicwallsma_210_firmware10.2.0.0 – 10.2.0.7-34sv
sonicwallsma_210_firmware10.2.1.0 – 10.2.1.0-17sv
sonicwallsma_400_firmware<= 9.0.0.10-28sv
sonicwallsma_400_firmware10.2.0.0 – 10.2.0.7-34sv
sonicwallsma_400_firmware10.2.1.0 – 10.2.1.0-17sv
sonicwallsma_410_firmware<= 9.0.0.10-28sv
sonicwallsma_410_firmware10.2.0.0 – 10.2.0.7-34sv
sonicwallsma_410_firmware10.2.1.0 – 10.2.1.0-17sv
sonicwallsma_500v<= 9.0.0.10-28sv
sonicwallsma_500v10.2.0.0 – 10.2.0.7-34sv
sonicwallsma_500v10.2.1.0 – 10.2.1.0-17sv

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://10.0.0.6/cgi-bin/handleWAFRedirect?hdl=../flash/etc/EasyAccess/var/conf/persist.db
path/cgi-bin/handleWAFRedirect
path/flash/etc/EasyAccess/var/conf/persist.db
otherSnort SID: 58224 - 58226
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034)"; flow:established,to_server; http.uri; content:"/cgi-bin/handleWAFRedirect|3f|"; fast_pattern; content:"hdl|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis; reference:cve,2021-20034; classtype:web-application-attack; sid:2061721; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_17, cve CVE_2021_20034, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the `handleWAFRedirect` CGI endpoint with a `hdl` parameter containing path traversal sequences (dot-dot sequences, URL-encoded variants) to delete arbitrary files. Detect via URI pattern matching on `/cgi-bin/handleWAFRedirect?` followed by `hdl=` with traversal sequences.
  • The exploit deletes the persistent database file (`persist.db`) to force a factory reset on reboot. Monitor for unauthenticated DELETE/GET requests targeting `/flash/etc/EasyAccess/var/conf/persist.db` via path traversal.
  • Shodan dork can be used to identify exposed SonicWall SMA devices on the internet that may be targeted: search for title 'Virtual Office' with 'Server: SonicWall'.
  • The vulnerability is exploitable without authentication (unauthenticated remote attacker). Prioritize detection on perimeter/SSL-decrypting sensors for inbound HTTP requests to SMA 100 series devices.
  • ·The Emerging Threats Snort rule (sid:2061721) requires TLS decryption to be effective, as the exploit traffic is HTTPS. Deploy on sensors with TLS inspection enabled (metadata tag: tls_state TLSDecrypt / deployment SSLDecrypt).
  • ·Affected versions are SMA 100 Series running 9.0.0.10-28sv, 10.2.0.7-34sv, and 10.2.1.0-17sv. Talos Snort SIDs 58224–58226 cover this CVE and should be enabled on relevant rulesets.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_oracle7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.