Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

ILTA Evolve

Apr

RSAC™ 2025 Conference

May

SIM Houston Women's Roundtable

May

Computing Cybersecurity Festival

May

CISO Strategy Virtual Meetings Seattle

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On April 20th, 2021, security services firm FireEye released a report on three actively exploited zero-day vulnerabilities impacting SonicWall’s Email Security (ES) product. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023.

At least one incident involving these vulnerabilities was identified in March 2021. Unidentified threat actors exploited the vulnerabilities to gain administrator access and execute code on SonicWall ES devices.

As threat actors are actively exploiting these vulnerabilities in the wild, organizations are strongly recommended to apply the available hotfixes as soon as possible.

What we’re doing about it

MVS will automatically add the relevant plugins for these vulnerabilities once details are made available
eSentire security teams continue to track this event for additional detection measures

What you should do about it

After performing a business impact review, apply hotfix 10.0.9.6173 for Windows users and hotfix 10.0.9.6177 for hardware and ESXi virtual appliance users
- Full security patches will be included in the upcoming SonicWall ES 10.0.10 release
Ensure that SonicWall’s Email Security product’s administrative interface is not publicly exposed to the internet

Additional information

All vulnerabilities listed impact SonicWall Email Security version 10.0.9.x.

CVE-2021-20021 (CVSS: 9.4): Unauthorized administrative account creation vulnerability

Exploitation allows a remote and unauthenticated attacker to create an administrative account by sending a crafted HTTP request to the remote host

CVE-2021-20022 (CVSS: 6.7): Post-authentication arbitrary file upload vulnerability

A previously authenticated threat actor may exploit this vulnerability in order to upload arbitrary files to the remote host

CVE-2021-20023 (CVSS: 6.7): Post-authentication arbitrary file read vulnerability

A previously authenticated threat actor may exploit this vulnerability in order to read arbitrary files to the remote host

Based on the public report, these vulnerabilities were exploited in at least one real-world attack. The zero-day exploits were used by an adversary to create new administrator accounts, identify hashed passwords for existing admin accounts, create a webshell in an arbitrary directory, and perform real-time debugging. In this attack, the BEHINDER webshell was deployed to compromised assets.

It is currently unclear what the adversaries’ primary goals are and how widespread exploitation of these vulnerabilities is. For more details on the known attack, see the full FireEye report.

References:

[1] https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
[2] https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-20021
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-20022
[5] https://nvd.nist.gov/vuln/detail/CVE-2021-20023

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

The Long and Short(cut) of It: KoiLoader Analysis

From Access to Encryption: Dissecting Hunters International's Latest…

eSentire and Qylis Form Strategic Partnership to Deliver Compliant…

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

CrushFTP Authentication Bypass

Critical Next.js Vulnerability (CVE-2025-29927)