Cyber Resilience

CVE-2021-20021

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 April 2021

Published
09 April 2021
Modified
10 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9122 99.7th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20021 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Sonicwall Email Security. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

A vulnerability tracked as CVE-2021-20021 exists in SonicWall Email Security version 10.0.9.x and is associated with CWE-269. It permits an unauthenticated remote attacker to create an administrative account by submitting a specially crafted HTTP request to the affected system. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact on confidentiality, integrity, and availability.

An attacker with network access to the SonicWall Email Security appliance can exploit the issue to provision a new administrative account. Successful exploitation grants the attacker full administrative control over the email security platform, enabling further actions such as altering configuration, accessing sensitive data, or deploying additional malicious components.

SonicWall has published advisory SNWLID-2021-0007 detailing the issue, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild exploitation. Organizations should apply vendor patches or mitigations referenced in the advisory to address the exposure.

EU & UK References

Vulnerability details

A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonicwall
email security
≤ 10.0.9.6103
sonicwall
email security appliance 9000 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 3300 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 4300 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 8300 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 5000 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 7000 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 5050 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 7050 firmware
≤ 10.0.9.6105
sonicwall
email security virtual appliance
≤ 10.0.9.6105
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks so that only authenticated administrators may create accounts, blocking the crafted-HTTP unauthenticated account-creation path.

prevent

Requires explicit approval and control over account creation/modification, preventing the vulnerability from allowing arbitrary administrative accounts to be provisioned.

prevent

Mandates identification and authentication of all users before any privileged action such as account creation, eliminating the unauthenticated attack vector described in the CVE.

References