CVE-2021-20039

HIGH EXPLOITED IN THE WILD

SonicWall SMA 200/210/400/410/500v Firmware - Authenticated OS Command Injection via /cgi-bin/viewcert

Title source: llm

Exploitation Summary

CVE-2021-20039 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including jbaines-r7, including a Metasploit module exploits/linux/http/sonicwall_cve_2021_20039.

AI-analyzed exploit summary This Metasploit module exploits an authenticated command injection vulnerability in SonicWall SMA 100 series web interface, allowing command execution as root. It uses a base64-encoded payload executed via Perl to bypass character restrictions.

Description

Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Exploits (1)

metasploit WORKING POC EXCELLENT

by jbaines-r7 · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/sonicwall_cve_2021_20039.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated command injection vulnerability in SonicWall SMA 100 series web interface, allowing command execution as root. It uses a base64-encoded payload executed via Perl to bypass character restrictions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SonicWall SMA 100 series (versions 10.2.1.2-24sv and below, 10.2.0.8-37sv and below, 9.0.0.11-31sv and below)

Auth required

Prerequisites: Valid credentials for the SonicWall SMA 100 series web interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis

Vendor Advisory x_refsource_confirm

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165563/SonicWall-SMA-100-Series-Authenticated-Command-Injection.html

Scores

CVSS v3 8.8

EPSS 0.7811

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-03-30

InTheWild.io 2022-01-27

CWE

CWE-78

Status published

Products (15)

sonicwall/sma_200_firmware 9.0.0.11-31sv

sonicwall/sma_200_firmware 10.2.0.8-37sv

sonicwall/sma_200_firmware 10.2.1.1-19sv

sonicwall/sma_210_firmware 9.0.0.11-31sv

sonicwall/sma_210_firmware 10.2.0.8-37sv

sonicwall/sma_210_firmware 10.2.1.1-19sv

sonicwall/sma_400_firmware 9.0.0.11-31sv

sonicwall/sma_400_firmware 10.2.0.8-37sv

sonicwall/sma_400_firmware 10.2.1.1-19sv

sonicwall/sma_410_firmware 9.0.0.11-31sv

... and 5 more

Published Dec 08, 2021

Tracked Since Feb 18, 2026