CVE-2021-20038

CRITICAL KEV RANSOMWARE NUCLEI

SonicWall SMA 100 Series Firmware <= 10.2.1.2-24sv - Unauthenticated Stack-based Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-20038 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including vesperp, anir0y. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-20038, a SonicWall SSL-VPN RCE vulnerability. The exploit leverages a command injection via the User-Agent header to execute arbitrary commands on the target system.

Description

A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

Exploits (3)

nomisec WORKING POC 1 stars
by vesperp · poc
https://github.com/vesperp/CVE-2021-20038-SonicWall-RCE

This repository contains a functional exploit for CVE-2021-20038, a SonicWall SSL-VPN RCE vulnerability. The exploit leverages a command injection via the User-Agent header to execute arbitrary commands on the target system.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SonicWall SSL-VPN
No auth needed
Prerequisites: Network access to the target SonicWall SSL-VPN interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by anir0y · poc
https://github.com/anir0y/sonicwall-audit-toolkit

This repository contains a functional exploit for CVE-2021-20038, a stack buffer overflow in SonicWall SMA100 SSL-VPN CGI binaries. It includes a Docker-based lab environment with vulnerable containers, exploit skeletons, and working solutions for both CVE-2021-20038 and CVE-2024-53704.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: SonicWall SMA100 SSL-VPN
No auth needed
Prerequisites: Docker environment · Python dependencies
devstral-2 · analyzed Feb 23, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/jbaines-r7/badblood

The repository contains a functional exploit for CVE-2021-20038, a stack-based buffer overflow in the SonicWall SMA-100 series firmware versions 10.2.1.x. The exploit opens a telnet bind shell on port 1270, achieving execution as the 'nobody' user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: SonicWall SMA-100 series firmware versions 10.2.1.x
No auth needed
Prerequisites: Target IP address · Local IP address · Target firmware version
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
CRITICALby dwisiswant0, jbaines-r7

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9429
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-01-28
VulnCheck KEV 2022-01-28
InTheWild.io 2022-01-24
ENISA EUVD EUVD-2021-7501
Ransomware Use Confirmed
CWE
CWE-121 CWE-787
Status published
Products (15)
sonicwall/sma_200_firmware 10.2.0.8-37sv
sonicwall/sma_200_firmware 10.2.1.1-19sv
sonicwall/sma_200_firmware 10.2.1.2-24sv
sonicwall/sma_210_firmware 10.2.0.8-37sv
sonicwall/sma_210_firmware 10.2.1.1-19sv
sonicwall/sma_210_firmware 10.2.1.2-24sv
sonicwall/sma_400_firmware 10.2.0.8-37sv
sonicwall/sma_400_firmware 10.2.1.1-19sv
sonicwall/sma_400_firmware 10.2.1.2-24sv
sonicwall/sma_410_firmware 10.2.0.8-37sv
... and 5 more
Published Dec 08, 2021
KEV Added Jan 28, 2022
Tracked Since Feb 18, 2026