CVE-2021-20038
CVE-2021-20038 is a critical-severity vulnerability in Sonicwall Sma 200 Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-28). The underlying weakness is classified as CWE-121.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-01-28)
- EU (EUVD) id: EUVD-2021-7501
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-01-28)
- Weakness: CWE-121
- Affected product: Sonicwall Sma 200 Firmware
- Published:
- Last modified:
Description
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
CVE-2021-20038: SonicWall SMA 100 Stack-Based Buffer Overflow in mod_cgi
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2021-20038 |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS v2 | 7.5 |
| EPSS | 0.99912 (99.9th percentile) |
| CWE | CWE-121: Stack-based Buffer Overflow |
| KEV | Yes (since 2022-01-28) |
Summary
CVE-2021-20038 is a stack-based buffer overflow vulnerability in the Apache httpd server's mod_cgi module within SonicWall SMA 100 appliances. The flaw exists in the handling of environment variables, allowing a remote unauthenticated attacker to potentially execute arbitrary code as the 'nobody' user on the appliance.
Background
SonicWall Secure Mobile Access (SMA) 100 series appliances provide secure remote access to corporate networks. The devices run an embedded Apache httpd server to handle web requests. The mod_cgi module is responsible for executing CGI scripts and managing the environment variables passed to them. This vulnerability specifically affects the environment variable handling within this module.
Root Cause
The vulnerability is classified as CWE-121: Stack-based Buffer Overflow. The mod_cgi module in the SMA 100 Apache httpd server fails to properly validate the size of environment variables before copying them into a fixed-size stack buffer. When an attacker supplies environment variables that exceed the allocated buffer size, the overflow overwrites adjacent stack memory, potentially corrupting return addresses and enabling code execution.
Impact
With a CVSS v3 score of 9.8 (CRITICAL) and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this vulnerability is:
- Network exploitable (AV:N) with low attack complexity (AC:L)
- Requires no privileges (PR:N) and no user interaction (UI:N)
- Grants High impact across Confidentiality, Integrity, and Availability (C:H/I:H/A:H)
The CVSS v2 score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) also reflects significant network-based risk. An attacker could potentially achieve remote code execution as the 'nobody' user, leading to full compromise of the appliance.
Exploitation Walkthrough
Defensive perspective only — this section is for understanding attack surface, not reproduction.
The vulnerability is triggered through the Apache httpd mod_cgi module when processing HTTP requests containing maliciously crafted environment variables. An attacker could potentially exploit this by sending a web request with oversized environment variable data to a vulnerable SMA 100 appliance. Successful exploitation may result in code execution within the context of the 'nobody' user account.
Ethics caveat: No working exploit code or step-by-step reproduction instructions are provided here. Security teams should focus on patching and detection rather than attempting to weaponize this flaw.
Affected and Patched Versions
Affected products:
- SonicWall SMA 200
- SonicWall SMA 210
- SonicWall SMA 400
- SonicWall SMA 410
- SonicWall SMA 500v
Affected firmware versions:
- 10.2.0.8-37sv and earlier
- 10.2.1.1-19sv and earlier
- 10.2.1.2-24sv and earlier
Specific patched firmware versions are not detailed in the available source data. Administrators should consult the SonicWall PSIRT advisory (SNWLID-2021-0026) for the latest patched releases.
Remediation
- Upgrade firmware: Apply the latest patched firmware from SonicWall as soon as possible. Refer to the SonicWall PSIRT advisory for specific version guidance.
- Compensating controls:
- Restrict management and web interface access to trusted IP ranges only.
- Deploy SMA appliances behind a Web Application Firewall (WAF) or reverse proxy with strict request size limits.
- Monitor for anomalous HTTP requests to the SMA appliance, particularly those with unusually large headers or environment variable data.
- Disable external access to the SMA web interface if not strictly required.
Detection
- Monitor network traffic for unusual HTTP requests targeting SMA 100 appliances, especially requests with abnormally large header or environment variable fields.
- Review appliance logs for unexpected CGI process crashes or httpd restarts.
- Check CISA's Known Exploited Vulnerabilities (KEV) catalog for updated detection guidance.
- Use vulnerability scanners that can detect SMA 100 firmware versions to identify unpatched appliances.
Assessment
With an EPSS score of 0.99912 (99.9th percentile), this vulnerability is among the most likely to be exploited in the wild. It has been listed in CISA's KEV catalog since 2022-01-28, confirming active exploitation. The combination of unauthenticated remote access, low complexity, and critical impact makes this a high-priority patching target.
Key lessons:
- Buffer overflows in web-facing modules remain a critical risk — even in modern appliances, memory safety issues in server modules can expose entire VPN gateways to remote compromise.
- KEV-listed vulnerabilities require immediate action — the near-certain EPSS probability and confirmed in-the-wild exploitation mean every day of delay significantly increases risk.
References
- https://github.com/jbaines-r7/badblood
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
- https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20038
Frequently asked questions
- What is CVE-2021-20038?
- A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
- How severe is CVE-2021-20038?
- CVE-2021-20038 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-20038 being actively exploited?
- Yes. CVE-2021-20038 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-20038?
- CVE-2021-20038 primarily affects Sonicwall Sma 200 Firmware. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-20038?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-20038 have an EU (EUVD) identifier?
- Yes. CVE-2021-20038 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-7501. It is also flagged as exploited in the EUVD (since 2022-01-28).
- When was CVE-2021-20038 published?
- CVE-2021-20038 was published on 2021-12-08 and last updated on 2026-06-17.
References
- https://github.com/jbaines-r7/badblood
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
- https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20038
Affected products (15)
- cpe:2.3:o:sonicwall:sma_200_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_210_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_410_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_400_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*
- cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*
More vulnerabilities in Sonicwall Sma 200 Firmware
- CVE-2022-22273 — Critical (CVSS 9.8): Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure…
- CVE-2021-20045 — Critical (CVSS 9.8): A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacNumber 36) method allows a remote unauthenticated…
- CVE-2021-20042 — Critical (CVSS 9.8): An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass…
- CVE-2021-20016 — Critical (CVSS 9.8): A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to…
- CVE-2024-38475 — Critical (CVSS 9.1): Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to…
- CVE-2021-20034 — Critical (CVSS 9.1): An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path…
All CVEs affecting Sonicwall Sma 200 Firmware →
Other CWE-121 (Stack-based Buffer Overflow) vulnerabilities
- CVE-2026-12848 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-12847 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-12846 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-12485 — Critical (CVSS 10.0): GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and…
- CVE-2026-37541 — Critical (CVSS 10.0): Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length…
- CVE-2026-42996 — Critical (CVSS 10.0): JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of…
Browse all CWE-121 (Stack-based Buffer Overflow) vulnerabilities →