CVE-2021-20022

What is SonicWall Email Security?

SonicWall Email Security is an on-premises email security gateway appliance that provides spam filtering, malware scanning, and email threat protection for organizations. It sits in the email delivery path — all inbound and outbound email passes through it — and includes an administrative web interface for configuration. Because email security appliances process untrusted external content (email messages), are internet-facing, and have privileged access to organizational email communications, they are high-value targets. Compromising an email security gateway gives attackers access to email content, the ability to modify email filtering rules (for phishing campaigns), and a persistent foothold in the network. SonicWall Email Security's administrative interface became an attack surface for a sophisticated three-CVE exploit chain in early 2021.

Overview

CVE-2021-20022 is an unrestricted file upload vulnerability (CWE-434) in SonicWall Email Security's administrator interface that allows a post-authenticated attacker to upload arbitrary files to the server — including web shells for persistent code execution. This vulnerability is the file-write stage of a three-CVE exploit chain: CVE-2021-20021 (authentication bypass/account creation) provides the admin credentials, CVE-2021-20022 uses those credentials to upload a web shell, and CVE-2021-20023 (path traversal) expands the attacker's file access. Mandiant identified exploitation by UNC2682 — a China-linked threat actor — and SonicWall published patches in April 2021. CISA added it to the KEV catalog in November 2021, flagging ransomware use.

Affected Versions

Technical Details

• Root cause: Unrestricted file upload (CWE-434) — the Email Security admin interface accepts file uploads for configuration, logo, or attachment purposes without validating the file type or contents; an authenticated administrator can upload a file with a .jsp or .aspx extension that the application server then executes when accessed
• Web shell deployment: A JSP web shell uploaded through the vulnerable interface provides the attacker with a persistent interactive OS command execution interface accessible via HTTP — enabling arbitrary command execution as the application server's user (typically with broad system access on an email appliance)
• Three-CVE chain: (1) CVE-2021-20021 — unauthenticated attacker creates an admin account or bypasses authentication by exploiting a flaw in the account provisioning logic; (2) CVE-2021-20022 — the newly-created admin account uploads a web shell via the file upload endpoint; (3) CVE-2021-20023 — path traversal extends file access to read arbitrary files on the appliance (credentials, configuration)
• UNC2682 exploitation: Mandiant identified exploitation by UNC2682 — assessed with moderate confidence as China-linked — who deployed the chain to establish persistent access to victim organizations' email infrastructure for intelligence collection
• Ransomware use: Post-initial access use of the SonicWall foothold enabled lateral movement into victim networks where ransomware was deployed; the CISA KEV ransomware flag reflects confirmed ransomware deployment following SonicWall compromise

Discovery

Discovered by Mandiant researchers during incident response investigations in early 2021. Mandiant reported the zero-day chain to SonicWall, which published patches and a security notice on April 9, 2021. Mandiant's investigation identified UNC2682 as the threat actor exploiting the chain prior to the patch.

Exploitation Context

The SonicWall Email Security exploit chain was notable for targeting a security appliance with a multi-stage zero-day chain — a hallmark of sophisticated threat actors who invest in exploiting security products specifically because these have privileged network positions and implicit trust. Once persistent web shell access is established on an email gateway, attackers can: monitor all organizational email, modify filtering rules to permit phishing campaigns, harvest credentials from email content, and use the appliance's network connectivity to pivot into the internal network. The ransomware use noted in the CISA KEV reflects that the SonicWall foothold was used as initial access for broader ransomware operations.

Remediation

1. Upgrade SonicWall Email Security to version 10.0.9.6173 or later — this patches all three CVEs in the chain
2. After patching, conduct a thorough audit of the Email Security appliance for indicators of compromise: look for unexpected JSP or WAR files, unauthorized admin accounts, and suspicious configuration changes
3. Review Email Security audit logs for file upload events and admin account creation/modification during the vulnerability window (January–April 2021)
4. Isolate the Email Security appliance: restrict admin interface access to trusted management IPs only — the admin interface should not be internet-accessible
5. If compromise is suspected: consider rebuilding the appliance from a clean image; web shells may persist through configuration-only remediation
6. Implement MFA on all SonicWall Email Security admin accounts to raise the bar for future authentication bypass attempts