cbcvebase.
CVE-2021-20043
published 2021-12-08

CVE-2021-20043: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
23.26%
97.5th percentile
A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the nobody user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Affected

14 ranges
VendorProductVersion rangeFixed in
sonicwallsma
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/sonicfiles
path/cgi-bin/editBookmark
commandRacNumber=35
cookieswcctn=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Heap-Based Buffer Overflow (CVE-2021-20043)"; flow:established,to_server; flowbits:isset,ET.SW.Bookmark; http.method; content:"POST"; http.uri; content:"/cgi-bin/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|35"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/; reference:cve,2021-20043; classtype:web-application-attack; sid:2061729; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20043, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET INFO SonicWall SMA Multiple CIFS Server Bookmark Creation"; flow:established,to_server; flowbits:set,ET.SW.Bookmark; http.method; content:"POST"; http.uri; content:"/cgi-bin/editBookmark|3f|"; fast_pattern; http.request_body; content:"bmName|3d|"; pcre:"/^[^\x26]{64,}/R"; content:"service|3d|CIFS"; threshold:type threshold, seconds 30, count 5, track by_src; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/; classtype:misc-activity; sid:2061728; rev:2; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Informational, updated_at 2026_01_20; target:dest_ip;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_12;)
  • Exploit chain requires two stages: first, creation of multiple CIFS server bookmarks via POST to /cgi-bin/editBookmark with a bmName parameter value ≥64 bytes and service=CIFS (5+ requests in 30s sets flowbit ET.SW.Bookmark); second, the overflow is triggered via POST to /cgi-bin/sonicfiles with RacNumber=35.
  • Stage 1 detection: look for repeated POST requests to /cgi-bin/editBookmark with bmName body parameter value exceeding 64 characters and service=CIFS, threshold 5 requests in 30 seconds from the same source.
  • Alternative exploit detection: POST requests containing the swcctn= URI parameter and a bmName= body value exceeding 100 characters, threshold 3 requests in 60 seconds from the same source.
  • TLS decryption (SSLDecrypt/TLSDecrypt) is required for all three Snort rules to fire, as the SMA100 appliance communicates over HTTPS.
  • The vulnerability is exploitable by a remote authenticated attacker; monitor for authenticated sessions performing anomalous bookmark creation activity preceding getBookmarks calls.
  • ·All three Snort rules require TLS inspection (SSLDecrypt/TLSDecrypt) to be enabled on the monitoring sensor; without it, the HTTP body and URI parameters will not be visible and rules will not trigger.
  • ·The primary exploit rule (sid:2061729) depends on the flowbit ET.SW.Bookmark being set by the prerequisite bookmark-creation rule (sid:2061728); both rules must be active and in the correct order for the chained detection to work.
  • ·The alternative exploit rule (sid:2034897) carries only Medium confidence per its metadata, meaning it may produce false positives in environments with legitimate high-volume bookmark operations.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.