CVE-2021-20035
published 2021-09-27CVE-2021-20035: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a…
PriorityP277medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-07
Exploited in the wild
EPSS
3.89%
88.9th percentile
Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma100 | — | — |
| sonicwall | sma100 | — | — |
| sonicwall | sma100 | — | — |
| sonicwall | sma_200_firmware | < 9.0.0.11-31sv | 9.0.0.11-31sv |
| sonicwall | sma_200_firmware | >= 10.2.0.0 < 10.2.0.8-37sv | 10.2.0.8-37sv |
| sonicwall | sma_200_firmware | >= 10.2.1.0 < 10.2.1.1-19sv | 10.2.1.1-19sv |
| sonicwall | sma_210_firmware | < 9.0.0.11-31sv | 9.0.0.11-31sv |
| sonicwall | sma_210_firmware | >= 10.2.0.0 < 10.2.0.8-37sv | 10.2.0.8-37sv |
| sonicwall | sma_210_firmware | >= 10.2.1.0 < 10.2.1.1-19sv | 10.2.1.1-19sv |
| sonicwall | sma_400_firmware | < 9.0.0.11-31sv | 9.0.0.11-31sv |
| sonicwall | sma_400_firmware | >= 10.2.0.0 < 10.2.0.8-37sv | 10.2.0.8-37sv |
| sonicwall | sma_400_firmware | >= 10.2.1.0 < 10.2.1.1-19sv | 10.2.1.1-19sv |
| sonicwall | sma_410_firmware | < 9.0.0.11-31sv | 9.0.0.11-31sv |
| sonicwall | sma_410_firmware | >= 10.2.0.0 < 10.2.0.8-37sv | 10.2.0.8-37sv |
| sonicwall | sma_410_firmware | >= 10.2.1.0 < 10.2.1.1-19sv | 10.2.1.1-19sv |
| sonicwall | sma_500v | < 9.0.0.11-31sv | 9.0.0.11-31sv |
| sonicwall | sma_500v | >= 10.2.0.0 < 10.2.0.8-37sv | 10.2.0.8-37sv |
| sonicwall | sma_500v | >= 10.2.1.0 < 10.2.1.1-19sv | 10.2.1.1-19sv |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for logins using the default local super admin account (admin@LocalDomain) with the default password 'password' as an indicator of exploitation activity. ↗
- →Post-exploitation: OVERSTEP rootkit is deployed as a .ELF file decoded from base64; hunt for unexpected ELF binaries written to disk on SMA appliances. ↗
- →OVERSTEP establishes a reverse shell and implements user-mode rootkit capabilities; monitor SMA appliances for unexpected outbound shell connections. ↗
- →Acquire disk images of potentially compromised SMA appliances for forensic analysis, as this prevents interference from the OVERSTEP rootkit during investigation. ↗
- →Review SMA devices for unauthorized logins as recommended by SonicWall PSIRT following confirmed exploitation of CVE-2021-20035. ↗
- ·The OVERSTEP rootkit was observed on end-of-life SMA 100 Series devices; even fully-patched but EoL appliances may remain at risk from unknown vulnerabilities and should be considered for replacement. ↗
- ·CVE-2024-38475 (Apache mod_rewrite) was also exploited in conjunction with CVE-2021-20035 on SMA 100 devices; both vulnerabilities are patched in firmware 10.2.1.14-75sv and later and should be remediated together. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.8MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:C
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SonicWall SMA100 Appliances OS Command Injection Vulnerability
cisa·2025-04-16·CVSS 6.5
CVE-2021-20035 [MEDIUM] CWE-78 SonicWall SMA100 Appliances OS Command Injection Vulnerability
Vulnerability: SonicWall SMA100 Appliances OS Command Injection Vulnerability
Affected: SonicWall SMA100 Appliances
SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022 ; https://nvd.nist.gov/vuln/detail/CVE-2021-20035
Remediation Due Date: 2025-05-07
GHSA
GHSA-g24w-7v2m-52xh: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as
ghsa_unreviewed·2022-05-24
CVE-2021-20035 [MEDIUM] CWE-78 GHSA-g24w-7v2m-52xh: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as
Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.
VulnCheck
SonicWall SMA100 Appliances OS Command Injection Vulnerability
vulncheck·2021·CVSS 6.5
CVE-2021-20035 [MEDIUM] CWE-78 SonicWall SMA100 Appliances OS Command Injection Vulnerability
SonicWall SMA100 Appliances OS Command Injection Vulnerability
SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution.
Affected: SonicWall SMA100 Appliances
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devic
No detection rules found.
No public exploits indexed.
Bleepingcomputer
SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
blogs_bleepingcomputer·2025-07-24·CVSS 6.5
CVE-2025-40599 [MEDIUM] SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## Sergiu Gatlan
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution.
The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability," the company said . "This vulnerability does not affect SonicWall SSL VPN SMA1000 series products or
Bleepingcomputer
SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
blogs_bleepingcomputer·2025-07-16·CVSS 6.5
[MEDIUM] SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## Ionut Ilascu
A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials.
Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”.
The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May.
Because files stolen from the vic
Bleepingcomputer
SonicWall urges admins to patch VPN flaw exploited in attacks
blogs_bleepingcomputer·2025-05-08·CVSS 8.8
CVE-2025-32819 [HIGH] SonicWall urges admins to patch VPN flaw exploited in attacks
## SonicWall urges admins to patch VPN flaw exploited in attacks
## Sergiu Gatlan
SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.
Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.
The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.
"SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release
Bleepingcomputer
SonicWall warns of more VPN flaws exploited in attacks
blogs_bleepingcomputer·2025-04-30·CVSS 6.5
CVE-2023-44221 [MEDIUM] SonicWall warns of more VPN flaws exploited in attacks
## SonicWall warns of more VPN flaws exploited in attacks
## Sergiu Gatlan
Cybersecurity company SonicWall has warned customers that two older vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
On Tuesday, SonicWall updated security advisories for the CVE-2023-44221 and CVE-2024-38475 security flaws to tag the two vulnerabilities as "potentially being exploited in the wild."
CVE-2023-44221 is described as a high-severity command injection vulnerability caused by improper neutralization of special elements in the SMA100 SSL-VPN management interface that enables attackers with admin privileges to inject arbitrary commands as a 'nobody' user.
The second security bug, CVE-2024-38475, is rated as a critical severity flaw caused
Bleepingcomputer
SonicWall SMA VPN devices targeted in attacks since January
blogs_bleepingcomputer·2025-04-18·CVSS 6.5
CVE-2021-20035 [MEDIUM] SonicWall SMA VPN devices targeted in attacks since January
## SonicWall SMA VPN devices targeted in attacks since January
## Sergiu Gatlan
A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
This security flaw ( CVE-2021-20035 ) impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and was patched almost four years ago, in September 2021, when SonicWall said it could only be exploited to take down vulnerable appliances in denial-of-service (DoS) attacks.
However, the company updated the four-year-old security advisory on Monday to flag the security bug as exploited in attacks , expand the impact to include remote code execution, and upgrade the CVSS severity score from medium to
Bleepingcomputer
CISA tags SonicWall VPN flaw as actively exploited in attacks
blogs_bleepingcomputer·2025-04-17·CVSS 6.5
CVE-2021-20035 [MEDIUM] CISA tags SonicWall VPN flaw as actively exploited in attacks
## CISA tags SonicWall VPN flaw as actively exploited in attacks
## Sergiu Gatlan
On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability.
Tracked as CVE-2021-20035 , this security flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. Successful exploitation can allow remote threat actors with low privileges to execute arbitrary code in low-complexity attacks.
"Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution," SonicWall explains in an advisory u
2021-09-27
Published
2025-04-16
Added to CISA KEV
Exploited in the wild