Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection
Analysis Summary
Here is the actionable summary of the vulnerability information:
# Vulnerability: Command Injection in SonicWall SMA 100 Series
## CVE Details
- CVE ID: CVE-2021-20035
- CVSS Score: 7.2 (High)
- CWE: OS Command Injection (Implied by "command injection")
## Affected Systems
- Products: SonicWall Secure Mobile Access (SMA) 100 Series appliances (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v)
- Versions:
- Version 10.2.1.0-17sv and earlier
- Version 10.2.0.7-34sv and earlier
- Version 9.0.0.10-28sv and earlier
- Configurations: Affects the SMA100 management interface; requires authentication.
## Vulnerability Description
The vulnerability is an operating system command injection flaw existing within the SMA100 management interface. Improper neutralization of special elements allows a remote, *authenticated* attacker to inject arbitrary commands, which are executed with the privileges of the 'nobody' user. This flaw could potentially lead to remote code execution.
## Exploitation
- Status: Actively Exploited in the wild (CISA added to KEV catalog based on evidence of active exploitation)
- Complexity: Low (Implied, as it requires only authentication, not complex pre-conditions)
- Attack Vector: Network (Remote authenticated access)
## Impact
- Confidentiality: Potential loss (if injected commands successfully access sensitive files/data)
- Integrity: Potential loss (via command execution)
- Availability: Potential loss (via command execution)
## Remediation
### Patches
- For version 10.2.1 train: Upgrade to **10.2.1.1-19sv and higher**
- For version 10.2.0 train: Upgrade to **10.2.0.8-37sv and higher**
- For version 9.0.0 train: Upgrade to **9.0.0.11-31sv and higher**
### Workarounds
The provided text does not list specific technical workarounds, only that patches should be applied. Mitigation generally requires restricting management interface access until patching is complete.
## Detection
- Indicators of compromise (IOCs): Specific IOCs are not detailed in this summary, but defenders should look for unusual remote activity or command execution attempts targeting the SMA management interface logs.
- Detection methods and tools: Monitoring security logs for unauthorized or unusual commands being passed to the management interface, particularly from remote/authenticated user sessions.
## References
- Vendor Advisory Reference: SNWLID-2021-0022
- Vendor Product Notice: hXXps://www.sonicwall.com/support/notices/product-notice-arbitrary-command-injection-vulnerability-in-sonicwall-sma-100-series-appliances/250415122607607
- CISA KEV Catalog Inclusion: hXXps://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog
- SonicWall Advisory: hXXps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022