CVE-2021-20016

critical

Description

A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.

From the Tenable Blog

CVE-2021-20016: Zero-Day Vulnerability in SonicWall Secure Mobile Access (SMA) Exploited in the Wild
CVE-2021-20016: Zero-Day Vulnerability in SonicWall Secure Mobile Access (SMA) Exploited in the Wild

Published: 2021-02-04

SonicWall releases a patch after researchers confirm exploitation of a zero-day vulnerability in SonicWall Secure Mobile Access

References

https://www.tenable.com/blog/aa23-215a-2022s-top-routinely-exploited-vulnerabilities

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

https://www.tenable.com/cyber-exposure/a-look-inside-the-ransomware-ecosystem

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a

https://www.tenable.com/blog/behind-the-scenes-how-we-picked-2021s-top-vulnerabilities-and-what-we-left-out

https://www.tenable.com/cyber-exposure/2021-threat-landscape-retrospective

https://www.tenable.com/blog/sonicwall-urges-users-to-patch-several-vulnerabilities-in-secure-mobile-access-products-cve

https://web.archive.org/web/20211025233339/https://twitter.com/pancak3lullz/status/1452679527197560837

https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations

https://www.tenable.com/blog/cve-2021-20016-zero-day-vulnerability-in-sonicwall-secure-mobile-access-sma-exploited

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001

Details

Source: Mitre, NVD

Published: 2021-02-04

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical