CVE-2021-20016

critical-risk

Published 2021-02-04

A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.

Do I need to act?

78.0% chance of exploitation in next 30 days

EPSS score — higher than 22% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (6)

Sma 100 Firmware

Sma 200 Firmware

Sma 210 Firmware

Sma 400 Firmware

Sma 410 Firmware

Sma 500V

Affected Vendors

Sonicwall

References (3)

Mitigation https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 27/34 · High

Exposure 13/34 · Low