By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

SonicWall Email Security Products Target of Zero-Day Exploits

Security researchers FireEye have identified three zero-day vulnerabilities in SonicWall Email Security (ES) products. These vulnerabilities can be chained together to gain administrative access to enterprise networks and achieve code execution, and are reportedly being exploited in the wild.

What’s the nature of the vulnerabilities?

Identified by FireEye researchers in March 2021, the three vulnerabilites have been observed as exploited in the wild.

The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10.

The other two vulnerabilities have CVSS scores of 7.2 and 6.7. 

The vulnerabilities are being tracked as:

  • CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host (CVSS 9.8). Allows attacker to create an account with administrator privileges through an XML document. 
  • CVE-2021-20022 – Post-authentication vulnerability, presumably used in conjunction with the first. It would allow an attacker to upload a file to the device (CVSS 7.2).
  • CVE-2021-20023 – Gives the ability to access any file stored on the remote host. (CVSS 6.7)

FireEye researchers did not attribute the observed attacks to any threat group; however, they tracked activity as UNC2682.

Affected Products

  • SonicWall On-premise Email Security (ES) version 10.0.9 and earlier
  • Hosted Email Security (HES) version 10.0.9 and earlier

What’s the risk?

Threat actors could exploit these vulnerabilities to gain administrative access and code execution on a SonicWall ES device, allowing installation of a backdoor, file & email access, and lateral movement in the victim organization’s network.

It is unclear how many victims have been impacted by these vulnerabilities.

How can I fix it?

A hotfix is available from SonicWall:

  • Hosted Email Security (HES) automatically upgraded to Hotfix, no action required by the HES users.
  • On-premise Email Security Windows users should upgrade to and Appliance users should upgrade to Hotfix is available for download on

SonicWall has provided a step-by-step guide for applying security upgrades. 



Previous Post

Authentication Bypass Zero-Day in Pulse Connect Secure Awaits Patch

Next Post

Passwordstate Users Delivered Malware Via Automatic Update

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.