MediumCISA KEVExploited in the wildPublic exploit

OS Command Injection in SonicWall SMA100 Management Interface

IdentifiersCVE-2021-20035CWE-78· Improper Neutralization of Special…

CVE-2021-20035 is an operating system command injection vulnerability in the management interface of SonicWall Secure Mobile Access (SMA) 100 series appliances. SonicWall describes the issue as improper neutralization of special elements in the SMA100 management interface, allowing a remote authenticated attacker to inject arbitrary OS commands. The injected commands execute in the context of the 'nobody' user. SonicWall later updated its advisory to note that the issue may lead not only to denial of service but also to potential code execution. Reported affected products include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. Affected firmware branches include 9.0.0.10-28sv and earlier, 10.2.0.7-34sv and earlier, and 10.2.1.0-17sv and earlier.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated remote attacker to execute arbitrary operating system commands on the appliance as the low-privileged 'nobody' user. This can result in unauthorized command execution on the device, potential service disruption or denial of service, and may enable further post-exploitation activity depending on local privilege boundaries and appliance configuration. SonicWall and downstream reporting indicate the impact assessment was revised from potential DoS to potential code execution, and the vulnerability has been confirmed as exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

The provided content states there are no available workarounds for CVE-2021-20035. If immediate patching is not possible, only general exposure-reduction steps can be inferred: restrict access to the SMA management interface to trusted administrative networks, minimize remote exposure, and monitor for signs of compromise. However, these measures do not remediate the flaw; firmware upgrade is the required corrective action based on the available information.

Remediation

Patch, then assume compromise.

Upgrade affected SonicWall SMA100 appliances to a fixed firmware release. Reported fixed versions are 9.0.0.11-31sv and higher, 10.2.0.8-37sv and higher, and 10.2.1.1-19sv and higher. Administrators should identify all affected SMA 100 series devices, validate current firmware branch/version, apply the appropriate vendor-provided update, and verify successful installation. Because the vulnerability is known exploited, remediation should be prioritized on any internet-reachable or externally accessible management deployments.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SonicwallSma 200 Firmwareoperating_system

SonicwallSma 210 Firmwareoperating_system

SonicwallSma 400 Firmwareoperating_system

SonicwallSma 410 Firmwareoperating_system

SonicwallSma 500vapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app

zeropath blogNews

Apr 29, 2026

Brief Summary: SonicOS CVE-2026-0204 Management Interface Access Control Bypass Across Gen 6, Gen 7, and Gen 8 Firewalls - ZeroPath Blog | ZeroPath

A previous SonicWall vulnerability referenced as having confirmed active exploitation in the wild and inclusion in CISA's Known Exploited Vulnerabilities catalog.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

A SonicWall SMA 100 Series OS command injection vulnerability added to CISA KEV due to active exploitation evidence.

dark readingNews

Sep 24, 2025

Threat Actor Deploys 'OVERSTEP' Backdoor in Ongoing SonicWall SMA Attacks

An authenticated remote code execution vulnerability in SonicWall SMA referenced as a possible exploitation vector in UNC6148 activity.

the hacker newsNews

Jul 16, 2025

UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

A known vulnerability in SonicWall SMA 100 series appliances that may allow remote attackers to gain unauthorized access.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity20

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-20035

NVD

nvd.nist.gov/vuln/detail/CVE-2021-20035

MITRE CWE · CWE-78

Improper Neutralization of Special Elements…

Vendor Advisory

psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20035