CVE-2021-20038

CVE-2021-20038 is a critical-severity vulnerability in Sonicwall Sma 200 Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-28). The underlying weakness is classified as CWE-121.

Key facts

Description

A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

CVE-2021-20038: SonicWall SMA 100 Stack-Based Buffer Overflow in mod_cgi

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2021-20038
CVSS v3 9.8 (CRITICAL)
CVSS v2 7.5
EPSS 0.99912 (99.9th percentile)
CWE CWE-121: Stack-based Buffer Overflow
KEV Yes (since 2022-01-28)

Summary

CVE-2021-20038 is a stack-based buffer overflow vulnerability in the Apache httpd server's mod_cgi module within SonicWall SMA 100 appliances. The flaw exists in the handling of environment variables, allowing a remote unauthenticated attacker to potentially execute arbitrary code as the 'nobody' user on the appliance.

Background

SonicWall Secure Mobile Access (SMA) 100 series appliances provide secure remote access to corporate networks. The devices run an embedded Apache httpd server to handle web requests. The mod_cgi module is responsible for executing CGI scripts and managing the environment variables passed to them. This vulnerability specifically affects the environment variable handling within this module.

Root Cause

The vulnerability is classified as CWE-121: Stack-based Buffer Overflow. The mod_cgi module in the SMA 100 Apache httpd server fails to properly validate the size of environment variables before copying them into a fixed-size stack buffer. When an attacker supplies environment variables that exceed the allocated buffer size, the overflow overwrites adjacent stack memory, potentially corrupting return addresses and enabling code execution.

Impact

With a CVSS v3 score of 9.8 (CRITICAL) and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this vulnerability is:

  • Network exploitable (AV:N) with low attack complexity (AC:L)
  • Requires no privileges (PR:N) and no user interaction (UI:N)
  • Grants High impact across Confidentiality, Integrity, and Availability (C:H/I:H/A:H)

The CVSS v2 score of 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) also reflects significant network-based risk. An attacker could potentially achieve remote code execution as the 'nobody' user, leading to full compromise of the appliance.

Exploitation Walkthrough

Defensive perspective only — this section is for understanding attack surface, not reproduction.

The vulnerability is triggered through the Apache httpd mod_cgi module when processing HTTP requests containing maliciously crafted environment variables. An attacker could potentially exploit this by sending a web request with oversized environment variable data to a vulnerable SMA 100 appliance. Successful exploitation may result in code execution within the context of the 'nobody' user account.

Ethics caveat: No working exploit code or step-by-step reproduction instructions are provided here. Security teams should focus on patching and detection rather than attempting to weaponize this flaw.

Affected and Patched Versions

Affected products:

  • SonicWall SMA 200
  • SonicWall SMA 210
  • SonicWall SMA 400
  • SonicWall SMA 410
  • SonicWall SMA 500v

Affected firmware versions:

  • 10.2.0.8-37sv and earlier
  • 10.2.1.1-19sv and earlier
  • 10.2.1.2-24sv and earlier

Specific patched firmware versions are not detailed in the available source data. Administrators should consult the SonicWall PSIRT advisory (SNWLID-2021-0026) for the latest patched releases.

Remediation

  1. Upgrade firmware: Apply the latest patched firmware from SonicWall as soon as possible. Refer to the SonicWall PSIRT advisory for specific version guidance.
  2. Compensating controls:
    • Restrict management and web interface access to trusted IP ranges only.
    • Deploy SMA appliances behind a Web Application Firewall (WAF) or reverse proxy with strict request size limits.
    • Monitor for anomalous HTTP requests to the SMA appliance, particularly those with unusually large headers or environment variable data.
    • Disable external access to the SMA web interface if not strictly required.

Detection

  • Monitor network traffic for unusual HTTP requests targeting SMA 100 appliances, especially requests with abnormally large header or environment variable fields.
  • Review appliance logs for unexpected CGI process crashes or httpd restarts.
  • Check CISA's Known Exploited Vulnerabilities (KEV) catalog for updated detection guidance.
  • Use vulnerability scanners that can detect SMA 100 firmware versions to identify unpatched appliances.

Assessment

With an EPSS score of 0.99912 (99.9th percentile), this vulnerability is among the most likely to be exploited in the wild. It has been listed in CISA's KEV catalog since 2022-01-28, confirming active exploitation. The combination of unauthenticated remote access, low complexity, and critical impact makes this a high-priority patching target.

Key lessons:

  1. Buffer overflows in web-facing modules remain a critical risk — even in modern appliances, memory safety issues in server modules can expose entire VPN gateways to remote compromise.
  2. KEV-listed vulnerabilities require immediate action — the near-certain EPSS probability and confirmed in-the-wild exploitation mean every day of delay significantly increases risk.

References

Frequently asked questions

What is CVE-2021-20038?
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
How severe is CVE-2021-20038?
CVE-2021-20038 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-20038 being actively exploited?
Yes. CVE-2021-20038 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-20038?
CVE-2021-20038 primarily affects Sonicwall Sma 200 Firmware. In total, 15 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-20038?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-20038 have an EU (EUVD) identifier?
Yes. CVE-2021-20038 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-7501. It is also flagged as exploited in the EUVD (since 2022-01-28).
When was CVE-2021-20038 published?
CVE-2021-20038 was published on 2021-12-08 and last updated on 2026-06-17.

References

Affected products (15)

More vulnerabilities in Sonicwall Sma 200 Firmware

All CVEs affecting Sonicwall Sma 200 Firmware →

Other CWE-121 (Stack-based Buffer Overflow) vulnerabilities

Browse all CWE-121 (Stack-based Buffer Overflow) vulnerabilities →