eSentire White Logo

Security advisories | Apr 21, 2021

Attacks Exploiting Zero-day Vulnerabilities in SonicWall ES


On April 20th, 2021, security services firm FireEye released a report on three actively exploited zero-day vulnerabilities impacting SonicWall’s Email Security (ES) product. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023.

At least one incident involving these vulnerabilities was identified in March 2021. Unidentified threat actors exploited the vulnerabilities to gain administrator access and execute code on SonicWall ES devices.

As threat actors are actively exploiting these vulnerabilities in the wild, organizations are strongly recommended to apply the available hotfixes as soon as possible.

What we’re doing about it

  • MVS will automatically add the relevant plugins for these vulnerabilities once details are made available
  • eSentire security teams continue to track this event for additional detection measures

What you should do about it

  • After performing a business impact review, apply hotfix for Windows users and hotfix for hardware and ESXi virtual appliance users
    • Full security patches will be included in the upcoming SonicWall ES 10.0.10 release
  • Ensure that SonicWall’s Email Security product’s administrative interface is not publicly exposed to the internet

Additional information

All vulnerabilities listed impact SonicWall Email Security version 10.0.9.x.

CVE-2021-20021 (CVSS: 9.4): Unauthorized administrative account creation vulnerability

  • Exploitation allows a remote and unauthenticated attacker to create an administrative account by sending a crafted HTTP request to the remote host

    CVE-2021-20022 (CVSS: 6.7): Post-authentication arbitrary file upload vulnerability

    • A previously authenticated threat actor may exploit this vulnerability in order to upload arbitrary files to the remote host

    CVE-2021-20023 (CVSS: 6.7): Post-authentication arbitrary file read vulnerability

    • A previously authenticated threat actor may exploit this vulnerability in order to read arbitrary files to the remote host

    Based on the public report, these vulnerabilities were exploited in at least one real-world attack. The zero-day exploits were used by an adversary to create new administrator accounts, identify hashed passwords for existing admin accounts, create a webshell in an arbitrary directory, and perform real-time debugging. In this attack, the BEHINDER webshell was deployed to compromised assets.

    It is currently unclear what the adversaries’ primary goals are and how widespread exploitation of these vulnerabilities is. For more details on the known attack, see the full FireEye report.