Cyber Resilience

CVE-2021-20023

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 20 April 2021

Published
20 April 2021
Modified
12 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5538 98.1th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20023 is a medium-severity Path Traversal (CWE-22) vulnerability in Sonicwall Email Security. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

SonicWall Email Security version 10.0.9.x is affected by a path traversal vulnerability tracked as CVE-2021-20023 and CWE-22. The flaw permits a post-authenticated attacker to read arbitrary files on the remote host. It carries a CVSS 3.1 base score of 4.9, reflecting network attack vector, low attack complexity, high privileges required, and high confidentiality impact with no integrity or availability effects.

An attacker who has already obtained administrative credentials can send specially crafted requests to the affected Email Security appliance and retrieve sensitive files stored on the system. Because the vulnerability requires authentication, it is primarily a risk to organizations whose management interfaces are reachable from untrusted networks or where credential compromise has already occurred.

The official SonicWall PSIRT advisory SNWLID-2021-0010 addresses the issue, and the vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity. Organizations should apply the patches or configuration changes recommended in the vendor advisory and restrict management access to trusted networks.

EU & UK References

Vulnerability details

SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonicwall
email security
≤ 10.0.9.6173
sonicwall
email security appliance 9000 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 3300 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 4300 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 8300 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 5000 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 7000 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 5050 firmware
≤ 10.0.9.6177
sonicwall
email security appliance 7050 firmware
≤ 10.0.9.6177
sonicwall
email security virtual appliance
≤ 10.0.9.6177
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorized access to files and prevents the post-auth path traversal that allows arbitrary file reads.

prevent

Restricts network exposure of the management interface to trusted sources, blocking remote exploitation even with stolen credentials.

prevent

Requires timely application of vendor patches that eliminate the path traversal flaw in Email Security 10.0.9.x.

References