⚠ Actively exploited
Added to CISA KEV on 2025-04-16. Federal agencies required to patch by 2025-05-07. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2021-20035 — OS Command Injection in Sma100
Severity
6.5MEDIUMNVD
EPSS
4.5%
top 10.80%
CISA KEV
KEV
Added 2025-04-16
Due 2025-05-07
Exploit
No known exploits
Affected products
Timeline
PublishedSep 27
KEV addedApr 16
Latest updateApr 18
KEV dueMay 7
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages6 packages
▶CVEListV5sonicwall/sma10010.2.0.7-34sv and earlier, 10.2.1.0-17sv and earlier, 9.0.0.10-28sv and earlier+2
🔴Vulnerability Details
3GHSA▶
GHSA-g24w-7v2m-52xh: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as↗2022-05-24
CVEList▶
CVE-2021-20035: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as↗2021-09-27