Cyber Resilience

CVE-2021-20038

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 08 December 2021

Published
08 December 2021
Modified
31 October 2025
KEV Added
28 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9429 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20038 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Sonicwall Sma 200 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A stack-based buffer overflow vulnerability exists in the mod_cgi module of the Apache httpd server on SMA100 appliances, triggered via environment variables. It affects SonicWall SMA 200, 210, 400, 410, and 500v appliances running firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv, and earlier versions, and is also associated with CWE-121 and CWE-787.

A remote unauthenticated attacker can exploit the flaw over the network to potentially execute arbitrary code as the 'nobody' user on the appliance. The issue received a CVSS 3.1 score of 9.8, reflecting the combination of low attack complexity, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability.

SonicWall PSIRT advisory SNWLID-2021-0026 and related reporting from Rapid7 document the issue, while public proof-of-concept code is available in the badblood repository.

EU & UK References

Vulnerability details

A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v…

more

appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

CWE(s)
KEV Date Added
28 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonicwall
sma 200 firmware
10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
sonicwall
sma 210 firmware
10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
sonicwall
sma 410 firmware
10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
sonicwall
sma 400 firmware
10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
sonicwall
sma 500v firmware
10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including environment variables passed to mod_cgi) to reject malformed data that would trigger the stack buffer overflow.

prevent

Requires memory-protection mechanisms (ASLR, non-executable stack, bounds checking) that block exploitation of the stack-based buffer overflow even if triggered.

prevent

Mandates timely installation of vendor patches that remediate the mod_cgi buffer-overflow flaw in the listed SMA firmware versions.

References