CVE-2021-20035

What is SonicWall SMA100?

SonicWall Secure Mobile Access (SMA) 100 series appliances (SMA 200, 210, 400, 410, 500v) are enterprise SSL VPN and remote access gateways providing organizations with secure network access for remote workers and partners. SMA100 appliances are internet-facing by design — they expose web management interfaces and VPN endpoints to external users. Because these appliances are continuously exposed to the internet and provide authenticated access to internal corporate networks, they are high-value targets for threat actors seeking persistent access to enterprise environments. OS command injection vulnerabilities in VPN appliance management interfaces are particularly dangerous because they give attackers root-level access to the appliance that controls network access for the entire organization.

Overview

CVE-2021-20035 is an OS command injection vulnerability (CWE-78) in the SonicWall SMA100 management interface that allows a remote authenticated attacker to inject arbitrary commands, executed as the 'nobody' user on the appliance. The CVSS impact (A:H only) reflects the original assessment based on the limited 'nobody' privilege context; however, SonicWall noted the vulnerability "could potentially lead to code execution." Exploiting the 'nobody' context on embedded appliances often enables further privilege escalation to root. Added to CISA KEV in April 2025 — three and a half years after the patch — indicating active exploitation of unpatched SMA100 appliances observed in 2025.

Affected Versions

Technical Details

• Root cause: OS command injection (CWE-78) in SMA100's management interface — a parameter accepted by the management web application is incorporated into a shell command on the SMA100 Linux-based appliance without proper sanitization; injecting shell metacharacters causes arbitrary commands to execute in the web server process context
• 'nobody' execution context: The web server component on SMA100 runs as the 'nobody' user (a low-privilege Linux account); commands injected via CVE-2021-20035 execute in this context; while limited, 'nobody' execution on an embedded appliance can enable: reading sensitive configuration files, exploiting local privilege escalation to root, pivoting to internal network from the appliance's privileged network position
• Remote exploitation with PR:L: AV:N/PR:L — requires network access and low-privilege credentials (a valid SMA100 user account); any authenticated VPN user could potentially exploit this
• Internet-facing exposure: SMA100 appliances are internet-accessible by design; unlike internal infrastructure vulnerabilities, exploitation requires only network access (no lateral movement needed from an internal position)
• Long exploitation tail: The April 2025 CISA KEV addition — three and a half years after the September 2021 patch — reflects the persistent phenomenon of organizations running unpatched VPN appliances, particularly legacy appliances that are difficult to update without maintenance windows

Discovery

Reported to SonicWall and patched in September 2021 firmware updates for all SMA100 series appliances. CISA's April 2025 KEV addition reflects active exploitation detected approximately three years after patch availability — consistent with the pattern of threat actors (including ransomware affiliates and nation-state groups) targeting organizations with long-unpatched SonicWall appliances.

Exploitation Context

SonicWall appliances have been persistent targets for sophisticated threat actors. The SMA series was targeted in earlier campaigns (CVE-2021-20016, CVE-2021-20021/22 for Email Security), and CVE-2021-20035 extends that targeting to SMA100 devices. Internet-facing VPN appliances are particularly valuable attack targets because: (1) successful exploitation provides the attacker with the same network access granted to legitimate VPN users, (2) the appliance itself may contain stored VPN credentials or configuration that enables further access, and (3) long maintenance cycles on dedicated VPN hardware create extended vulnerability windows. The late 2025 KEV addition suggests ongoing campaigns targeting unpatched SMA100 appliances in enterprise environments.

Remediation

1. Upgrade SMA100 firmware to 9.0.0.10-28sv or 10.2.0.7-34sv or later — patches CVE-2021-20035
2. Check the current SMA100 firmware version in the management console and apply updates according to SonicWall's SNWLID-2021-0022 advisory
3. Restrict SMA100 management interface access: the management interface should not be accessible from the internet; restrict access to management IP ranges via the appliance's access control lists
4. Enable multi-factor authentication for all SMA100 VPN users — this limits the exposure from compromised low-privilege credentials required for PR:L exploitation
5. Review SMA100 logs for unexpected commands executed via the management interface or unusual process execution patterns
6. Consider SonicWall's SMA100 End-of-Life status for older appliances: older firmware branches may no longer receive security updates; verify your version is still supported and receiving patches