CVE-2021-20021
CVE-2021-20021 is a critical-severity vulnerability in Sonicwall Email Security with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-269.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 83% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-7484
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-269
- Affected product: Sonicwall Email Security
- Published:
- Last modified:
Description
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
CVE-2021-20021: SonicWall Email Security Unauthenticated Admin Account Creation (CWE-269)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2021-20021 |
| CVSS v3.1 | 9.8 (Critical) |
| CVSS v2 | 7.5 (High) |
| CWE | CWE-269 — Improper Privilege Management |
| EPSS | 0.83425 (99.65th percentile) |
| KEV | Added 2021-11-03 |
| Vendor | SonicWall |
| Product | SonicWall Email Security |
| Affected versions | 10.0.9.x (see References for vendor notice) |
Summary
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. Because the attack requires no authentication and no user interaction, the exposure surface is exceptionally wide.
Background
SonicWall Email Security is an enterprise email gateway and security appliance designed to protect organisations from spam, malware, phishing, and data loss. It is deployed as a physical appliance, virtual appliance, or hosted service. The management interface is exposed to the network for administration and configuration.
Root Cause
This vulnerability is classified as CWE-269: Improper Privilege Management. The application fails to enforce proper authorization checks on a specific administrative endpoint, allowing an unauthenticated attacker to interact with a privileged function that should only be accessible to authenticated administrators. This effectively grants a privilege escalation from "no privileges" to "administrative privileges" in a single network request.
Impact
The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical). This reflects:
- Network attack vector (AV:N): Exploitable over the network without physical access.
- Low attack complexity (AC:L): No specialised conditions are required.
- No privileges required (PR:N): Completely unauthenticated.
- No user interaction (UI:N): No victim action is needed.
- High confidentiality impact (C:H): Full read access to mail, configurations, and user data.
- High integrity impact (I:H): Attackers can modify rules, bypass security controls, and inject or delete messages.
- High availability impact (A:H): System disruption, denial of service, or reconfiguration of the mail gateway.
The CVSS v2 score is 7.5 (High) with vector AV:N/AC:L/Au:N/C:P/I:P/A:P, reflecting the same remote, unauthenticated nature with partial impacts in the older scoring framework.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the vulnerability class and defensive posture only. No weaponised exploit code or step-by-step attacker instructions are provided.
The flaw resides in an administrative endpoint that lacks proper authentication enforcement. From a defender's standpoint, an attacker would likely send a specially crafted HTTP request to the management interface that tricks the application into accepting an account creation action without first validating session identity or role. This is a classic case of an authentication/authorization bypass on a sensitive administrative function.
Because the attack is unauthenticated and network-accessible, automated scanners and opportunistic threat actors routinely target exposed management interfaces for this class of vulnerability. The presence of this CVE on the CISA Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation in the wild.
Affected and Patched Versions
- Affected: SonicWall Email Security version 10.0.9.x (including physical appliances, virtual appliances, and the hosted service). Specific appliance models confirmed vulnerable include the 3300, 4300, 5000, 5050, 7000, 7050, 8300, and 9000 series.
- Patched version: Check the SonicWall PSIRT advisory (SNWLID-2021-0007) for the exact fixed version and patch availability.
Remediation
- Patch immediately: Apply the vendor-provided patch or upgrade to a non-vulnerable version as detailed in the SonicWall PSIRT advisory.
- Network segmentation: Restrict access to the SonicWall Email Security management interface to an isolated administrative network. Do not expose the management plane to the internet or untrusted subnets.
- Monitor for rogue accounts: Audit administrative accounts and review authentication logs for unexpected account creation events.
- Compensating controls: If patching is delayed, place a WAF or reverse proxy in front of the management interface with strict allow-listing and rate-limiting rules, or temporarily disable external management access.
Detection
- Network: Monitor for anomalous HTTP POST requests to the management interface from unexpected source IPs, especially those targeting account-creation or privilege-escalation endpoints.
- Logs: Review SonicWall Email Security audit logs for unexpected administrative account creation or changes to user roles.
- Endpoint/Host: Scan for unexpected local accounts on the underlying appliance or virtual appliance.
- Threat intelligence: Correlate IP addresses attempting to access the management interface with known exploit frameworks or scanning campaigns tracked in the CISA KEV catalog.
Assessment
With an EPSS score of 0.83425 and inclusion in the CISA KEV catalog since 2021-11-03, this vulnerability is actively exploited in the wild and should be treated as a high-priority patching item. The combination of unauthenticated remote access and the ability to create administrative accounts makes this a near-perfect pre-authentication remote compromise vector for email security infrastructure.
Key lessons:
- Administrative endpoints must be protected by both authentication and authorization. Even a single endpoint that bypasses these checks can lead to complete system compromise.
- Email security appliances sit on the critical path for inbound and outbound communications. Their compromise is a high-value target for espionage, business email compromise (BEC), and supply-chain attacks.
References
Frequently asked questions
- What is CVE-2021-20021?
- A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
- How severe is CVE-2021-20021?
- CVE-2021-20021 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-20021 being actively exploited?
- Yes. CVE-2021-20021 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-20021?
- CVE-2021-20021 primarily affects Sonicwall Email Security. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-20021?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-20021 have an EU (EUVD) identifier?
- Yes. CVE-2021-20021 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-7484. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-20021 published?
- CVE-2021-20021 was published on 2021-04-09 and last updated on 2026-06-17.
References
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20021
Affected products (11)
- cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_9000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_3300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_4300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_8300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_5000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_7000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_5050_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_7050_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:email_security_virtual_appliance:*:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:hosted_email_security:*:*:*:*:*:*:*:*
More vulnerabilities in Sonicwall Email Security
- CVE-2021-44228 — Critical (CVSS 10.0): Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in…
- CVE-2021-45046 — Critical (CVSS 9.0): It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default…
- CVE-2021-3450 — High (CVSS 7.4): The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.…
- CVE-2021-20022 — High (CVSS 7.2): SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload…
- CVE-2021-45105 — Medium (CVSS 5.9): Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled…
- CVE-2018-3639 — Medium (CVSS 5.5): Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the…
All CVEs affecting Sonicwall Email Security →
Other CWE-269 (Improper Privilege Management) vulnerabilities
- CVE-2026-31852 — Critical (CVSS 10.0): Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is…
- CVE-2025-20282 — Critical (CVSS 10.0): A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-0505 — Critical (CVSS 10.0): On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain…
- CVE-2023-48418 — Critical (CVSS 10.0): In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW…
- CVE-2023-48419 — Critical (CVSS 10.0): An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege
- CVE-2023-31273 — Critical (CVSS 10.0): Protection mechanism failure in some Intel DCM software before version 5.2 may allow an unauthenticated user to…
Browse all CWE-269 (Improper Privilege Management) vulnerabilities →