Cyber Resilience

CVE-2021-20035

MediumCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 27 September 2021

Published
27 September 2021
Modified
31 October 2025
KEV Added
16 April 2025
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1284 94.2th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20035 is a medium-severity OS Command Injection (CWE-78) vulnerability in Sonicwall Sma 200 Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2021-20035 is an OS command injection vulnerability (CWE-78) stemming from improper neutralization of special elements in the management interface of SonicWall SMA 100 appliances. The flaw permits execution of arbitrary commands under the 'nobody' account and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and high availability impact with no confidentiality or integrity effects.

A remote attacker who has already authenticated to the SMA 100 interface can exploit the weakness without user interaction to inject commands that result in denial of service. The attack requires only low-privileged credentials and does not need additional privileges or special network positioning beyond normal management access.

SonicWall advisory SNWLID-2021-0022 and the CISA Known Exploited Vulnerabilities catalog both reference the issue, confirming its inclusion in the CISA catalog of vulnerabilities observed in active exploitation.

EU & UK References

Vulnerability details

Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.

CWE(s)
KEV Date Added
16 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonicwall
sma 200 firmware
≤ 9.0.0.11-31sv · 10.2.0.0 — 10.2.0.8-37sv · 10.2.1.0 — 10.2.1.1-19sv
sonicwall
sma 210 firmware
≤ 9.0.0.11-31sv · 10.2.0.0 — 10.2.0.8-37sv · 10.2.1.0 — 10.2.1.1-19sv
sonicwall
sma 400 firmware
≤ 9.0.0.11-31sv · 10.2.0.0 — 10.2.0.8-37sv · 10.2.1.0 — 10.2.1.1-19sv
sonicwall
sma 410 firmware
≤ 9.0.0.11-31sv · 10.2.0.0 — 10.2.0.8-37sv · 10.2.1.0 — 10.2.1.1-19sv
sonicwall
sma 500v
≤ 9.0.0.11-31sv · 10.2.0.0 — 10.2.0.8-37sv · 10.2.1.0 — 10.2.1.1-19sv

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted inputs to the SMA management interface, blocking the special-element/command-injection vector that enables the CVE.

prevent

Enforces least-privilege execution so that even a successfully injected command runs only under the restricted 'nobody' account, limiting the DoS impact.

prevent

Restricts the management interface to only the minimal required commands and services, reducing the attack surface available for arbitrary command injection.

References