CVE-2021-20016

CVE-2021-20016 is a critical-severity vulnerability in Sonicwall Sma 100 Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-89.

Key facts

Description

A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.

CVE-2021-20016: SonicWall SMA 100 SQL Injection Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2021-20016 is a SQL injection vulnerability in SonicWall SMA 100 series SSLVPN appliances. A remote, unauthenticated attacker can craft malicious SQL queries to access usernames, passwords, and session-related information.

Background

SonicWall Secure Mobile Access (SMA) 100 series appliances provide secure remote access to corporate networks. The SSLVPN functionality on SMA 100, 200, 210, 400, 410, and the SMA 500v virtual appliance was found to be vulnerable to SQL injection due to improper sanitization of user-supplied input.

Root Cause

The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements in an SQL Command (SQL Injection). The SSLVPN authentication or session management interface failed to properly sanitize user input before incorporating it into SQL queries, allowing an attacker to inject arbitrary SQL commands.

Impact

With a CVSS v3.1 score of 9.8 (Critical), the impact is severe. The attack vector is network-based, requires no authentication or privileges, and no user interaction. The vulnerability enables high confidentiality, integrity, and availability impacts, meaning an attacker can read, modify, or delete data, and potentially disrupt service.

Exploitation Walkthrough

From a defensive standpoint, attackers can exploit SQL injection by sending specially crafted input to the SSLVPN interface. The attack typically involves injecting SQL syntax to bypass authentication or extract data from backend databases. While this section does not provide working exploit code, defenders should understand that automated scanners and known exploit frameworks have incorporated this vulnerability. Ethics caveat: This information is for defensive purposes only; unauthorized testing or exploitation of systems without explicit written permission is illegal and unethical.

Affected and Patched Versions

Affected: SMA 100 firmware build version 10.x, SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v.

Patched: Consult the SonicWall PSIRT advisory SNWLID-2021-0001 for the specific patched firmware versions.

Remediation

  1. Upgrade SMA 100 firmware to the latest patched version available from SonicWall.
  2. If immediate patching is not possible, restrict SSLVPN access to trusted IP ranges and enforce MFA where possible.
  3. Monitor for unusual SQL errors or unauthorized access attempts in appliance logs.
  4. Consider disabling external SSLVPN access until the patch is applied.

Detection

  • Monitor web logs for suspicious SQL injection patterns (e.g., UNION SELECT, single quotes, comment sequences).
  • Look for anomalous authentication success from unexpected sources.
  • Enable logging on the SMA appliance and forward logs to a SIEM for correlation.
  • Review CISA KEV catalog and EUVD-2021-7479 for additional detection guidance.

Assessment

This vulnerability carries an EPSS score of 0.40038, placing it in the 98.5th percentile, indicating a very high probability of exploitation. It has been listed in the CISA Known Exploited Vulnerabilities catalog since 2021-11-03 and is actively exploited in the wild. The EUVD also confirmed exploitation starting from the same date.

Key lessons:

  1. Legacy network appliances with externally exposed management interfaces remain high-value targets for threat actors.
  2. A single SQL injection flaw can have catastrophic consequences when it resides on a perimeter security device that handles authentication and session data.

References

Frequently asked questions

What is CVE-2021-20016?
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.
How severe is CVE-2021-20016?
CVE-2021-20016 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-20016 being actively exploited?
Yes. CVE-2021-20016 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-20016?
CVE-2021-20016 primarily affects Sonicwall Sma 100 Firmware. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-20016?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-20016 have an EU (EUVD) identifier?
Yes. CVE-2021-20016 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-7479. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-20016 published?
CVE-2021-20016 was published on 2021-02-04 and last updated on 2026-06-17.

References

Affected products (6)

More vulnerabilities in Sonicwall Sma 100 Firmware

All CVEs affecting Sonicwall Sma 100 Firmware →

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →