CVE-2021-20023
CVE-2021-20023 is a medium-severity vulnerability in Sonicwall Email Security with a CVSS 3.x base score of 4.9. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Medium (CVSS 3.x base score 4.9)
- CVSS v2: 4.0
- EPSS exploit prediction: 51% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-7486
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Sonicwall Email Security
- Published:
- Last modified:
Description
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
SonicWall Email Security Post-Authentication Arbitrary File Read (CVE-2021-20023)
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2021-20023 is a path traversal vulnerability in SonicWall Email Security version 10.0.9.x that enables a post-authenticated remote attacker to read arbitrary files on the underlying host. With a CVSS 3.1 score of 4.9 and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, this flaw poses a meaningful confidentiality risk to organizations relying on the affected email security platform.
Background
SonicWall Email Security is an enterprise email security solution designed to protect organizations from spam, malware, phishing, and data loss. The product is deployed both as physical appliances and virtual appliances across a range of models. In April 2021, SonicWall disclosed that a specific version of the software—10.0.9.x—was susceptible to an arbitrary file read vulnerability that could be leveraged by an already-authenticated user.
Root Cause
The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The application fails to sufficiently sanitize user-supplied input when constructing file paths, allowing an authenticated attacker to traverse the directory structure using sequences such as ../ and access files outside the intended web or application root. The underlying issue stems from insufficient input validation on a file-access endpoint that is reachable after authentication.
Impact
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, yielding a base score of 4.9 (Medium). The attacker must have existing credentials (Privileges Required: High), but once authenticated, the attack complexity is low and no user interaction is required. The confidentiality impact is rated High because successful exploitation allows reading sensitive files such as configuration files, credentials, or system data. There is no direct impact to integrity or availability.
Exploitation Walkthrough
Defensive Context Only. This section describes the vulnerability mechanics for detection and mitigation purposes. Attempting to exploit systems without authorization is illegal and unethical.
An attacker with valid credentials for the SonicWall Email Security administrative interface sends a crafted HTTP request to a file-access endpoint. By injecting directory traversal sequences into the file path parameter, the attacker can coerce the application into returning the contents of files located outside the intended directory. For example, manipulating a request parameter such as filename=../../../etc/passwd or equivalent Windows paths could result in the server returning arbitrary OS files. No exploit code is required beyond a standard HTTP client and valid session credentials.
Affected and Patched Versions
Affected:
- SonicWall Email Security version 10.0.9.x
- SonicWall Email Security Virtual Appliance
- SonicWall Hosted Email Security
- Multiple SonicWall Email Security Appliance firmware versions (3300, 4300, 5000, 5050, 7000, 7050, 8300, 9000)
Patched: SonicWall released security updates to address this vulnerability. Organizations should consult the official SonicWall PSIRT advisory (SNWLID-2021-0010) for specific patch versions and upgrade paths.
Remediation
- Upgrade immediately to a patched version of SonicWall Email Security as specified in SonicWall PSIRT advisory SNWLID-2021-0010.
- Restrict administrative access to the Email Security management interface to a dedicated jump host or VPN segment, limiting the attack surface.
- Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise that could enable exploitation.
- Review and audit file-access permissions on the underlying OS to ensure the application service account cannot access sensitive system files unnecessarily.
Detection
- Monitor web application logs for anomalous file-read requests containing directory traversal patterns (
../,..\, URL-encoded variants) from authenticated sessions. - Correlate administrative login events with subsequent file-access anomalies.
- Leverage endpoint detection and response (EDR) tooling to detect unusual file-read activity by the SonicWall application process.
- Query CISA KEV and threat intelligence feeds for indicators of active exploitation associated with this CVE.
Assessment
With an EPSS score of 0.51407 and inclusion in the CISA KEV catalog since November 3, 2021, CVE-2021-20023 is a confirmed, actively exploited vulnerability in the wild. The relatively high EPSS and documented exploitation by ransomware actors elevate this beyond a theoretical risk. Although the CVSS 3.1 base score of 4.9 appears moderate, the High privileges required constraint is offset by the reality that administrative credentials are frequently targeted through phishing or password reuse. Two key lessons: (1) post-authentication endpoints must sanitize all file path inputs rigorously, and (2) email security appliances—being internet-facing—require aggressive patching cycles commensurate with their exposure.
References
Frequently asked questions
- What is CVE-2021-20023?
- SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
- How severe is CVE-2021-20023?
- CVE-2021-20023 has a CVSS 3.x base score of 4.9, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-20023 being actively exploited?
- Yes. CVE-2021-20023 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-20023?
- CVE-2021-20023 primarily affects Sonicwall Email Security. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-20023?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-20023 have an EU (EUVD) identifier?
- Yes. CVE-2021-20023 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-7486. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-20023 published?
- CVE-2021-20023 was published on 2021-04-20 and last updated on 2026-06-17.
References
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20023
Affected products (11)
- cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_9000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_3300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_4300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_8300_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_5000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_7000_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_5050_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:email_security_appliance_7050_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:email_security_virtual_appliance:*:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:hosted_email_security:*:*:*:*:*:*:*:*
More vulnerabilities in Sonicwall Email Security
- CVE-2021-44228 — Critical (CVSS 10.0): Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in…
- CVE-2021-20021 — Critical (CVSS 9.8): A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account…
- CVE-2021-45046 — Critical (CVSS 9.0): It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default…
- CVE-2021-3450 — High (CVSS 7.4): The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.…
- CVE-2021-20022 — High (CVSS 7.2): SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload…
- CVE-2021-45105 — Medium (CVSS 5.9): Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled…
All CVEs affecting Sonicwall Email Security →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…