Detections
Analytics

CVE-2021-20039

high

Description

Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

References

https://www.securityweek.com/sonicwall-patches-critical-sma-100-vulnerability-warns-of-recent-malware-attack/

https://www.theregister.com/2025/07/16/sonicwall_vpn_hijack/

https://www.securityweek.com/sonicwall-sma-appliances-targeted-with-new-overstep-malware/

https://www.databreachtoday.com/hackers-use-backdoor-to-steal-data-from-sonicwall-appliance-a-28979

https://www.darkreading.com/remote-workforce/fully-patched-sonicwall-gear-zero-day-attack

https://www.bleepingcomputer.com/news/security/sonicwall-sma-devices-hacked-with-overstep-rootkit-tied-to-ransomware/

https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148

https://thehackernews.com/2025/07/unc6148-backdoors-fully-patched.html

https://cyberscoop.com/sonicwall-sma100-attacks/

https://arstechnica.com/security/2025/07/google-finds-custom-backdoor-being-installed-on-sonicwall-network-devices/

https://www.tenable.com/blog/sonicwall-urges-users-to-patch-several-vulnerabilities-in-secure-mobile-access-products-cve

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

http://packetstormsecurity.com/files/165563/SonicWall-SMA-100-Series-Authenticated-Command-Injection.html

Details

Source: Mitre, NVD

Published: 2021-12-08

Updated: 2022-04-01

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.53655