cbcvebase.
CVE-2021-20035
published 2021-09-27

CVE-2021-20035: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a…

PriorityP277medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-07
Exploited in the wild
EPSS
3.89%
88.9th percentile
Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.

Affected

18 ranges
VendorProductVersion rangeFixed in
sonicwallsma100
sonicwallsma100
sonicwallsma100
sonicwallsma_200_firmware< 9.0.0.11-31sv9.0.0.11-31sv
sonicwallsma_200_firmware>= 10.2.0.0 < 10.2.0.8-37sv10.2.0.8-37sv
sonicwallsma_200_firmware>= 10.2.1.0 < 10.2.1.1-19sv10.2.1.1-19sv
sonicwallsma_210_firmware< 9.0.0.11-31sv9.0.0.11-31sv
sonicwallsma_210_firmware>= 10.2.0.0 < 10.2.0.8-37sv10.2.0.8-37sv
sonicwallsma_210_firmware>= 10.2.1.0 < 10.2.1.1-19sv10.2.1.1-19sv
sonicwallsma_400_firmware< 9.0.0.11-31sv9.0.0.11-31sv
sonicwallsma_400_firmware>= 10.2.0.0 < 10.2.0.8-37sv10.2.0.8-37sv
sonicwallsma_400_firmware>= 10.2.1.0 < 10.2.1.1-19sv10.2.1.1-19sv
sonicwallsma_410_firmware< 9.0.0.11-31sv9.0.0.11-31sv
sonicwallsma_410_firmware>= 10.2.0.0 < 10.2.0.8-37sv10.2.0.8-37sv
sonicwallsma_410_firmware>= 10.2.1.0 < 10.2.1.1-19sv10.2.1.1-19sv
sonicwallsma_500v< 9.0.0.11-31sv9.0.0.11-31sv
sonicwallsma_500v>= 10.2.0.0 < 10.2.0.8-37sv10.2.0.8-37sv
sonicwallsma_500v>= 10.2.1.0 < 10.2.1.1-19sv10.2.1.1-19sv

Detection & IOCsextracted from sources · hover to see the quote

otheradmin@LocalDomain
otherpassword
filenamepersist.db
otherOVERSTEP
  • Monitor for logins using the default local super admin account (admin@LocalDomain) with the default password 'password' as an indicator of exploitation activity.
  • Post-exploitation: OVERSTEP rootkit is deployed as a .ELF file decoded from base64; hunt for unexpected ELF binaries written to disk on SMA appliances.
  • OVERSTEP establishes a reverse shell and implements user-mode rootkit capabilities; monitor SMA appliances for unexpected outbound shell connections.
  • Acquire disk images of potentially compromised SMA appliances for forensic analysis, as this prevents interference from the OVERSTEP rootkit during investigation.
  • Review SMA devices for unauthorized logins as recommended by SonicWall PSIRT following confirmed exploitation of CVE-2021-20035.
  • ·The OVERSTEP rootkit was observed on end-of-life SMA 100 Series devices; even fully-patched but EoL appliances may remain at risk from unknown vulnerabilities and should be considered for replacement.
  • ·CVE-2024-38475 (Apache mod_rewrite) was also exploited in conjunction with CVE-2021-20035 on SMA 100 devices; both vulnerabilities are patched in firmware 10.2.1.14-75sv and later and should be remediated together.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.8MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:C
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.