What is SonicWall Email Security?
SonicWall Email Security is an enterprise email gateway product deployed by organizations to filter inbound and outbound email for spam, malware, and phishing. Available as hardware appliances, virtual appliances, and Windows-based software, SonicWall Email Security processes all email for an organization — sitting at the network perimeter as an internet-accessible service. As an email gateway with access to all organizational email traffic, administrator-level access to SonicWall Email Security enables email interception, manipulation, and provides a foothold in the DMZ from which to pivot into internal networks.
Overview
CVE-2021-20021 is an improper privilege management vulnerability (CWE-269) in SonicWall Email Security that allows an unauthenticated remote attacker to create a new administrator account by sending a specially crafted HTTP request. This vulnerability was exploited as part of a three-CVE chain alongside CVE-2021-20022 (arbitrary file creation) and CVE-2021-20023 (arbitrary file read). Mandiant discovered active exploitation in late March 2021 by UNC2447, a financially motivated threat group associated with the FIVEHANDS/HelloKitty ransomware. This was a zero-day: the vulnerabilities were being exploited before SonicWall issued patches. The attack chain allowed attackers to compromise SonicWall Email Security appliances and use them as footholds for internal network access and ransomware deployment.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| SonicWall Email Security 10.0.9.x and earlier (Windows) | Yes | 10.0.9.6262 |
| SonicWall Email Security 10.0.9.x and earlier (Hardware Appliance) | Yes | 10.0.9.6262 |
| SonicWall Email Security 10.0.9.x and earlier (ESXi Virtual Appliance) | Yes | 10.0.9.6262 |
Technical Details
The SonicWall Email Security administrative interface accepts account creation requests that bypass authorization checks:
- Root cause: Improper privilege management (CWE-269) — the Email Security web application processes account creation requests without validating that the requester has administrative privileges. A crafted HTTP request to the admin account creation endpoint creates a new administrator account without any authentication
- Exploit chain position: CVE-2021-20021 is stage 1 of the attack chain. After creating an admin account, attackers use CVE-2021-20022 (arbitrary file creation via the new admin account) to write a webshell or malicious file, and CVE-2021-20023 (arbitrary file read) to access sensitive configuration data
- No authentication required: The account creation endpoint is accessible without prior authentication
- Impact of admin account: With administrator access to SonicWall Email Security, attackers can read email content, modify filtering rules to allow malicious attachments through, access LDAP/AD integration credentials, and use the appliance as a network pivot point
Discovery
Discovered by Mandiant during incident response at an organization that had been compromised by UNC2447. Mandiant identified the zero-day exploitation in late March 2021 and notified SonicWall, who released emergency patches and coordinated public disclosure on April 9, 2021.
Exploitation Context
UNC2447, the threat group exploiting this vulnerability, is a financially motivated actor assessed to be associated with Russian-speaking cybercriminals. They deployed FIVEHANDS (also known as HelloKitty variant) ransomware after using the SonicWall Email Security compromise to gain network access. The appliance-level compromise gave UNC2447 a persistent foothold in target networks that survived password resets and standard incident response measures since the email gateway itself had been compromised. The attack is notable as an example of threat actors specifically targeting security appliances rather than end-user workstations.
Remediation
- Apply SonicWall Email Security update 10.0.9.6262 immediately — this patches all three vulnerabilities in the chain
- After patching, audit SonicWall Email Security for unauthorized administrator accounts created by the exploit
- Review all SonicWall Email Security audit logs for unauthorized access, configuration changes, and file operations
- Search the SonicWall Email Security installation directories for webshells or unauthorized files planted via CVE-2021-20022
- Rotate all credentials that SonicWall Email Security has access to: LDAP/Active Directory service accounts, SMTP relay credentials, and any API keys configured in the product
- Restrict administrative access to the SonicWall Email Security management interface to known administrator IP ranges
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-20021 |
| Vendor / Product | SonicWall — SonicWall Email Security |
| NVD Published | 2021-04-09 |
| NVD Last Modified | 2025-11-10 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-269 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-03-26 | SonicWall notified of active exploitation; Mandiant begins incident response |
| 2021-04-09 | SonicWall releases emergency patches; CVE published; Mandiant publishes exploitation report |
| 2021-04-09 | CISA and FBI issue joint advisory on UNC2447/FIVEHANDS ransomware exploiting SonicWall Email Security |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| SonicWall PSIRT Advisory SNWLID-2021-0011 | Vendor Advisory |
| Mandiant — Zero-Day Exploits in SonicWall Email Security | Security Research |
| NVD — CVE-2021-20021 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |