cbcvebase.
CVE-2021-20045
published 2021-12-08

CVE-2021-20045: A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacNumber 36) method allows a remote unauthenticated attacker to potentially execute code as…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
25.21%
97.7th percentile
A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacNumber 36) method allows a remote unauthenticated attacker to potentially execute code as the 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Affected

13 ranges
VendorProductVersion rangeFixed in
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100

Detection & IOCsextracted from sources · hover to see the quote

url/fileshare/sonicfiles/?
otherRacNumber=36
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"User|3d|"; pcre:"/^[^\x26]{136,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061730; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"Pass|3d|"; pcre:"/^[^\x26]{136,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061731; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Heap Buffer Overflow (CVE-2021-20045)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"Domn|3d|"; pcre:"/^[^\x26]{128,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061732; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets HTTP POST to /fileshare/sonicfiles/? — monitor for POST requests to this URI path on SMA 100-series appliances.
  • Stack overflow variant M1: look for the 'User' POST parameter with a value of 136+ non-ampersand characters, combined with RacNumber=36.
  • Stack overflow variant M2: look for the 'Pass' POST parameter with a value of 136+ non-ampersand characters, combined with RacNumber=36.
  • Heap overflow variant: look for the 'Domn' POST parameter with a value of 128+ non-ampersand characters, combined with RacNumber=36.
  • The vulnerable method is RAC_COPY_TO with RacNumber 36 — RacNumber=36 in the POST body is a reliable indicator of exploitation attempts against this specific method.
  • Rules require TLS decryption (tls_state TLSDecrypt) to be effective — deploy on SSL-inspecting perimeter sensors or internal decryption points.
  • ·Detection rules require TLS/SSL inspection to be in place; without decryption, encrypted exploit traffic will not be inspectable by these signatures.
  • ·Affected appliances are SMA 200, 210, 400, 410, and 500v only — scope detection to those device types to reduce false positives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.