cbcvebase.
CVE-2021-20039
published 2021-12-08

CVE-2021-20039: Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.11%
99.5th percentile
Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Affected

19 ranges
VendorProductVersion rangeFixed in
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/viewcert
commandPOST /cgi-bin/viewcert HTTP/1.1
snort
alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"cert|3d|"; nocase; pcre:"/^[^\x0d\x0a\x26\x5c]*?\x5cn/R"; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:3; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
cert|3d| (hex: 63 65 72 74 3d) in HTTP POST body to /cgi-bin/viewcert
  • Monitor for HTTP POST requests to /cgi-bin/viewcert on SMA 100 series management interfaces; the injection payload is embedded in the POST body 'cert=' parameter and contains a newline character (\x5c\x6e / \n) to break out of the command context.
  • Exploitation results in command execution as root (escalated from 'nobody'), so post-exploitation process trees spawned from the SMA web process running as root should be treated as high-confidence compromise indicators.
  • CVE-2021-20039 has been chained with other SMA vulnerabilities (CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2025-32819) by threat actor UNC6148 to steal administrator credentials; look for sequential exploitation patterns across these CVEs on the same appliance.
  • Post-compromise, UNC6148 decoded and dropped an OVERSTEP backdoor as a .ELF file via base64 decoding commands; hunt for base64-decode shell commands and newly created .ELF files on SMA appliances.
  • Theft of the persist.db database and certificate files from SMA appliances is a key post-exploitation objective; monitor for unexpected reads or exfiltration of persist.db.
  • ·The vulnerability requires prior authentication; an attacker must already possess valid credentials (e.g., stolen via a companion vulnerability) before exploiting CVE-2021-20039.
  • ·Affected firmware versions are 10.2.1.2-24sv and below, 10.2.0.8-37sv and below, and 9.0.0.11-31sv and below; the Snort rule's ET metadata indicates it was last updated 2025-04-14, suggesting continued relevance against unpatched/EoL devices.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.