CVE-2021-20039
published 2021-12-08CVE-2021-20039: Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.11%
99.5th percentile
Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cgi-bin/viewcert HTTP/1.1
snort
alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"cert|3d|"; nocase; pcre:"/^[^\x0d\x0a\x26\x5c]*?\x5cn/R"; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:3; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
cert|3d| (hex: 63 65 72 74 3d) in HTTP POST body to /cgi-bin/viewcert
- →Monitor for HTTP POST requests to /cgi-bin/viewcert on SMA 100 series management interfaces; the injection payload is embedded in the POST body 'cert=' parameter and contains a newline character (\x5c\x6e / \n) to break out of the command context.
- →Exploitation results in command execution as root (escalated from 'nobody'), so post-exploitation process trees spawned from the SMA web process running as root should be treated as high-confidence compromise indicators. ↗
- →CVE-2021-20039 has been chained with other SMA vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2025-32819) by threat actor UNC6148 to steal administrator credentials; look for sequential exploitation patterns across these CVEs on the same appliance. ↗
- →Post-compromise, UNC6148 decoded and dropped an OVERSTEP backdoor as a .ELF file via base64 decoding commands; hunt for base64-decode shell commands and newly created .ELF files on SMA appliances. ↗
- →Theft of the persist.db database and certificate files from SMA appliances is a key post-exploitation objective; monitor for unexpected reads or exfiltration of persist.db. ↗
- ·The vulnerability requires prior authentication; an attacker must already possess valid credentials (e.g., stolen via a companion vulnerability) before exploiting CVE-2021-20039. ↗
- ·Affected firmware versions are 10.2.1.2-24sv and below, 10.2.0.8-37sv and below, and 9.0.0.11-31sv and below; the Snort rule's ET metadata indicates it was last updated 2025-04-14, suggesting continued relevance against unpatched/EoL devices. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-58fc-493g-jfwj: Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated atta
ghsa_unreviewed·2021-12-09
CVE-2021-20039 [HIGH] CWE-78 GHSA-58fc-493g-jfwj: Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated atta
Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
VulnCheck
SonicWall sma_200_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-20039 [HIGH] SonicWall sma_200_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
SonicWall sma_200_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Affected: SonicWall sma_200_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dfir.ch/posts/microsocks_sonicwall/; https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor; https://fortiguard.
Suricata
ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039
suricata·2022-01-26·CVSS 8.8
CVE-2021-20039 [HIGH] ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039
ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039
Rule: alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"cert|3d|"; nocase; pcre:"/^[^\x0d\x0a\x26\x5c]*?\x5cn/R"; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:3; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploi
Bleepingcomputer
SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
blogs_bleepingcomputer·2025-07-24·CVSS 6.5
CVE-2025-40599 [MEDIUM] SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
## Sergiu Gatlan
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution.
The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability," the company said . "This vulnerability does not affect SonicWall SSL VPN SMA1000 series products or
Bleepingcomputer
SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
blogs_bleepingcomputer·2025-07-16·CVSS 6.5
[MEDIUM] SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
## Ionut Ilascu
A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
The backdoor is a user-mode rootkit that allows hackers to hide malicious components, maintain persistent access on the device, and steal sensitive credentials.
Researchers at Google Threat Intelligence Group (GTIG) observed the rootkit in attacks that may have relied on “an unknown, zero-day remote code execution vulnerability”.
The threat actor is tracked as UNC6148 and has been operating since at least last October, with an organization being targeted as recently as May.
Because files stolen from the vic
Tenable
SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
blogs_tenable·2021-12-08·CVSS 9.8
[CRITICAL] SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/165563/SonicWall-SMA-100-Series-Authenticated-Command-Injection.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026http://packetstormsecurity.com/files/165563/SonicWall-SMA-100-Series-Authenticated-Command-Injection.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis
2021-12-08
Published
Exploited in the wild