CVE-2021-20021
Published: 09 April 2021
Summary
CVE-2021-20021 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Sonicwall Email Security. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
A vulnerability tracked as CVE-2021-20021 exists in SonicWall Email Security version 10.0.9.x and is associated with CWE-269. It permits an unauthenticated remote attacker to create an administrative account by submitting a specially crafted HTTP request to the affected system. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact on confidentiality, integrity, and availability.
An attacker with network access to the SonicWall Email Security appliance can exploit the issue to provision a new administrative account. Successful exploitation grants the attacker full administrative control over the email security platform, enabling further actions such as altering configuration, accessing sensitive data, or deploying additional malicious components.
SonicWall has published advisory SNWLID-2021-0007 detailing the issue, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild exploitation. Organizations should apply vendor patches or mitigations referenced in the advisory to address the exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7484
Vulnerability details
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks so that only authenticated administrators may create accounts, blocking the crafted-HTTP unauthenticated account-creation path.
Requires explicit approval and control over account creation/modification, preventing the vulnerability from allowing arbitrary administrative accounts to be provisioned.
Mandates identification and authentication of all users before any privileged action such as account creation, eliminating the unauthenticated attack vector described in the CVE.