CVE-2021-20042
published 2021-12-08CVE-2021-20042: An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.66%
83.8th percentile
An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/fileshare/sonicfiles/sonicfiles?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fileshare/sonicfiles/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|25"; content:"Arg1|3d|"; pcre:"/^[a-z]+\x3a\x2f{2}/R"; reference:url,www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/; reference:cve,2021-20042; classtype:web-application-attack; sid:2061554; rev:1;)- →Look for unauthenticated HTTP GET requests to the '/fileshare/sonicfiles/sonicfiles?' URI path on SonicWall SMA 100-series appliances (SMA 200, 210, 400, 410, 500v).
- →The exploit request contains the query parameters 'RacNumber=25' and 'Arg1=' followed by a URL-scheme string (e.g., http:// or https://) — the PCRE '/^[a-z]+\x3a\x2f{2}/R' matches a protocol scheme in Arg1, indicating the attacker is supplying an external URL to proxy through the device.
- →The attack is classified as a 'Confused Deputy' / unintended proxy abuse — an unauthenticated remote attacker uses the SMA 100 as an intermediary to bypass firewall rules. Monitor for outbound connections originating from the SMA appliance to unexpected external hosts triggered by inbound requests to the sonicfiles endpoint. ↗
- →Deploy the Snort/Suricata rule with SID 2061554 at the perimeter and on SSL-decrypting inspection points (TLSDecrypt/SSLDecrypt deployments) to catch this attack over HTTPS.
- ·Affected appliances are limited to SMA 200, 210, 400, 410, and 500v — scope detection rules accordingly and do not apply broadly to other SonicWall product lines. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)
suricata·2025-04-14·CVSS 9.8
CVE-2021-20042 [CRITICAL] ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)
ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fileshare/sonicfiles/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|25"; content:"Arg1|3d|"; pcre:"/^[a-z]+\x3a\x2f{2}/R"; reference:url,www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/; reference:cve,2021-20042; classtype:web-application-attack; sid:2061554; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2021_20042, deployment Perimeter, deployment Internal,
No public exploits indexed.
2021-12-08
Published