Cyber Resilience

CVE-2021-20022

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 April 2021

Published
09 April 2021
Modified
10 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3260 97.0th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20022 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sonicwall Email Security. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

SonicWall Email Security version 10.0.9.x is affected by an arbitrary file upload vulnerability tracked as CVE-2021-20022 and assigned CWE-434. The flaw permits a remote attacker to place an unrestricted file on the host after authentication, carrying a CVSS 3.1 score of 7.2 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

A post-authenticated attacker who already possesses valid administrative credentials can exploit the weakness over the network to upload and execute arbitrary files, resulting in full control of the affected Email Security appliance.

The official SonicWall advisory SNWLID-2021-0008 details the issue and corresponding remediation steps, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonicwall
email security
≤ 10.0.9.6103
sonicwall
email security appliance 9000 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 3300 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 4300 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 8300 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 5000 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 7000 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 5050 firmware
≤ 10.0.9.6105
sonicwall
email security appliance 7050 firmware
≤ 10.0.9.6105
sonicwall
email security virtual appliance
≤ 10.0.9.6105
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file uploads to block arbitrary/unrestricted files as exploited in CVE-2021-20022.

prevent

Disables or restricts the unnecessary file-upload capability that the post-authenticated attacker abuses to achieve code execution.

prevent

Limits which authenticated administrators can perform system-changing file uploads, reducing the attack surface described in the CVE.

References