SMA100: OS command injection in SonicWall SMA100 management interface (CVE-2021-20035) #shorts

Summary

In this episode, we discuss CVE-2021-20035, a critical OS command injection vulnerability in SonicWall SMA100 series appliances. Attackers are actively exploiting this flaw to run arbitrary commands as the ‘nobody’ user, potentially causing denial of service. SonicWall and CISA have issued urgent warnings—if you use SMA100 devices, you need to act now.

Product details

The affected products are SonicWall SMA100 series secure remote access appliances, including versions 9.0.0.10-28sv and earlier, 10.2.0.7-34sv and earlier, and 10.2.1.0-17sv and earlier. These devices provide single sign‑on, VPN and multifactor authentication for remote users.

Vulnerability type summary

CVE-2021-20035 is categorized under CWE-78: Improper Neutralization of Special Elements used in an OS Command, also known as OS command injection. A remote attacker can inject shell commands when input fields are not properly sanitized.

Details of the vulnerability

In the SMA100 management interface, certain user-supplied inputs are passed directly to system calls without adequate filtering. An authenticated attacker can craft malicious payloads to execute arbitrary commands with the permissions of the ‘nobody’ user. While ‘nobody’ has limited rights, chaining additional flaws or abusing services can lead to denial of service or further compromise. Exploits have been observed in the wild, prompting CISA to add this CVE to its Known Exploited Vulnerabilities catalog.

Conclusion

CVE-2021-20035 poses a real risk to organizations using SonicWall SMA100 appliances. To protect your network, immediately update to the patched firmware versions provided by SonicWall. Disable remote administration where possible, audit access logs for suspicious activity, and follow CISA’s guidance on mitigation. Stay vigilant and keep your security appliances up to date.

Watch the full video on YouTube: CVE-2021-20035

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2021-20035
Description
Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.
Provider
sonicwall
CWE / problem types
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected Software Versions
SonicWall:SMA100:[{'status': 'affected', 'version': '9.0.0.10-28sv and earlier'}, {'status': 'affected', 'version': '10.2.0.7-34sv and earlier'}, {'status': 'affected', 'version': '10.2.1.0-17sv and earlier'}]
Date Published
2021-09-27T17:20:12.000Z
Last Updated
2025-04-17T03:55:35.767Z