CVE-2021-20028

What is SonicWall Secure Remote Access?

SonicWall Secure Remote Access (SRA) appliances (SRA 4600, SRA 1600, SRA Virtual Appliance) are SSL VPN gateways that provide remote access for employees to corporate network resources. The SRA product line reached end-of-life status — SonicWall no longer provides firmware updates or security patches for these devices. Despite their EOL status, many organizations continued deploying SRA appliances after their support window closed, leaving them with unpatched critical vulnerabilities. CISA's required action for this CVE is explicit: disconnect EOL SRA devices from the network.

Overview

CVE-2021-20028 is an improper neutralization of SQL commands (SQL injection, CWE-89) in SonicWall's Secure Remote Access (SRA) products. An unauthenticated remote attacker can exploit the SQL injection to access the SRA's credential database, extract VPN user credentials, and potentially authenticate to the VPN without knowing any valid passwords. SonicWall published an advisory in August 2021; CISA added this to KEV in March 2022 following confirmed ransomware exploitation. Because the affected products are EOL, no patch is available.

Affected Versions

Technical Details

The SRA web interface includes a SQL injection vulnerability in its authentication flow. SQL queries that process user-supplied login parameters (username, password, or session identifiers) are not properly parameterized:

• Root cause: SQL injection (CWE-89) — user-supplied input is incorporated into SQL queries without proper parameterization or escaping
• Authentication required: None — the SQL injection is exploitable in the pre-authentication login flow
• Impact: Full access to the SRA credential database, including VPN user credentials (potentially plaintext or easily crackable hashes)
• Credential use: Extracted VPN credentials can be used to authenticate to the VPN, providing network access to the organization
• No patch available: The affected products are EOL — SonicWall will not release a fix

Discovery

Identified and reported to SonicWall. SonicWall confirmed EOL status and recommended disconnecting rather than patching.

Exploitation Context

Ransomware operators actively target VPN appliances as initial access vectors. EOL SonicWall SRA devices with exposed management interfaces were actively scanned and exploited in ransomware campaigns. The SQL injection enabled credential theft, which attackers used to access corporate VPNs and deploy ransomware. SonicWall SRA has been repeatedly targeted — earlier vulnerabilities (CVE-2019-7481) in the same product line were also exploited in ransomware campaigns.

Remediation

1. Disconnect all EOL SonicWall SRA devices immediately — no patch is available
2. Replace EOL SRA with supported SonicWall SMA 100 series or other currently supported VPN solutions
3. If immediate replacement is not possible: disconnect from internet access, restrict to internal-only management, and treat as fully compromised
4. Rotate all VPN user credentials that may have been stored on the SRA device
5. Review VPN authentication logs for unauthorized logins during the period the SRA was deployed
6. Consider replacing the VPN solution with a modern zero-trust network access (ZTNA) approach