🔴 CVE-2021-20035

OS Command Injection vulnerability in SonicWall SMA100 management interface allows remote authenticated attackers to execute arbitrary commands as 'nobody' user. The vulnerability is actively exploited in the wild according to CISA KEV listing.

← Back to Overview
HIGH_RISK
Risk Level
6.5
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2021-09-27

Added to CISA KEV: 2025-04-16 1297 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2021-20035 is a critical command injection vulnerability affecting SonicWall SMA 100 series appliances that has been subject to active exploitation in the wild [1] [3].

Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability was confirmed to be under active exploitation in the wild, leading the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) Catalog in April 2025 [3].
  • Usage: Attackers have utilized this flaw to perform malicious activities, including the deployment of tools to steal sensitive data such as passwords and OTP seeds from the appliance's databases ([4]).
Attack Method and Requirements
  • Method: The vulnerability stems from the improper neutralization of special elements within the SMA 100 management interface, which allows for OS command injection [2] [5].
  • Requirements: Exploitation requires a remote authenticated attacker [2].
Impact
  • Access/Impact: While initially described as potentially leading to a Denial of Service (DoS), the vulnerability was later confirmed to allow for remote code execution (RCE) [5]. Attackers can inject arbitrary commands, typically executing them as a `nobody` user, which can be leveraged to exfiltrate credential databases and establish persistence [2] [4].
Affected Products and Mitigation
  • Affected Products: The vulnerability impacts SonicWall SMA 100 series appliances, specifically models including:
* SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure)?qid=CVE-2021-20035?kagi_q=CVE-2021-20035+details+exploitation+threat+actors+impact+versions+patch.
  • Mitigation: Organizations are urged to apply the latest firmware updates provided by SonicWall. The vendor has released patches to address this vulnerability, and administrators should ensure their appliances are updated to the recommended firmware versions (e.g., version 10.2.1.14-75sv) to secure the devices [1].

Sources

  1. SonicWall SMA RCE Vulnerability (CVE-2021-20035) Under Active ...

    SonicWall SMA devices face active attacks via CVE-2021-20035 RCE flaw. Patch now to block remote code execution and secure your VPN appliances from threats. ... SonicWall SMA devices face active attacks via CVE-2021-20035 RCE flaw. Patch now to block remote code execution and secure your VPN applian…

  2. CVE-2021-20035 Detail - NVD

    Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' ...

  3. CISA Warns of SonicWall Command Injection Vulnerability Exploited in Wild

    The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical SonicWall vulnerability that is actively being exploited by threat actors. On April 16, 2025, CISA added CVE-2021-20035, a command injection vulnerability affecting SonicWall SMA100 appliances…

  4. SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy...

    Dump temp.db & persist.db to steal passwords and OTP seeds. Patched Feb 2025. CVE-2021-20035.Patched June 2025. The Shell commands executed by the dopasswords command depicts how OVERSTEP compresses credential databases into a web-reachable TAR archive, ensuring effortless download by the attacker.

  5. Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021 ...

    CVE-2021-20035 is due to improper neutralization of special elements in the SMA100 management interface and can be exploited by remote ... CVE-2021-20035 exploited. Sonicwall confirmed it by updating the original security advisory to reflect the new state of play, and by changing the description of…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed