Last updated at Wed, 08 Dec 2021 20:25:17 GMT


On December 7, 2021, SonicWall released a security advisory that includes patching guidance for five vulnerabilities in SonicWall SMA 100 series devices that were discovered by Rapid7 (including CVE-2021-20038 which is rated CVSSv3 9.8, critical), as well as several other CVEs discovered by NCC Group. While exploitation has not yet started for these vulnerabilities, SonicWall “strongly urges” organizations to apply the appropriate patches.

From SonicWall’s advisory:

Issue ID Summary CVE CVSS Reporting Party Impacted Versions
SMA-3217 Unauthenticated Stack-Based Buffer Overflow CVE-2021-20038 9.8 Rapid7,,
SMA-3204 Authenticated Command Injection CVE-2021-20039 7.2 Rapid7,,
SMA-3206 Unauthenticated File Upload Path Traversal CVE-2021-20040 6.5 Rapid7, NCCGroup,
SMA-3207 Unauthenticated CPU Exhaustion CVE-2021-20041 7.5 Rapid7,,
SMA-3208 Unauthenticated Confused Deputy CVE-2021-20042 6.3 Rapid7,,
SMA-3231 Heap-Based Buffer Overflow CVE-2021-20043 8.8 NCCGroup,
SMA-3233 Post-Authentication Remote Command Execution CVE-2021-20044 7.2 NCCGroup,
SMA-3235 Multiple Unauthenticated Heap-Based and Stack Based Buffer Overflow CVE-2021-20045 9.4 NCCGroup,

Affected versions

The issues listed above impact SMA 100 series appliances (SMA 200, 210, 400, 410, 500v).

Full disclosure scheduled for January 2022

Rapid7 will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.


As with all critical, network-edge appliances, Rapid7 recommends that vulnerabilities be patched immediately. SonicWall devices have previously been exploited at scale in 2021 and are generally high-value targets for attackers. SonicWall does not list any workarounds for these issues. For more information, see SonicWall’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to all eight of the CVEs in this advisory with vulnerability checks in the December 7, 2021 content release.


Get the latest stories, expertise, and news about security today.