IRONSMITHINTEL
MEDIUMCVSS4.9
|
Actively Exploited
|CISA KEV|CVE-2021-20023|Auth: high — administrative privileges|Reboot: required|Manual only

SonicWall SonicWall Email Security < 10.0.9 — Path Traversal

SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Security exploit chain along with CVE-2021-20021 and CVE-2021-20022 to achieve privilege escalation.

Published Apr 20, 2021 · Updated May 17, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, with administrative privileges, can achieve full data confidentiality loss. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2021-11-17 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Path Traversal (CWE-22) vulnerability in SonicWall SonicWall Email Security. SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host. Exploitation requires remote network access, low attack complexity, an administrative account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running email security: v < 10.0.9.6173; email security appliance 9000 firmware: v < 10.0.9.6177; email security appliance 3300 firmware: v < 10.0.9.6177; email security appliance 4300 firmware: v < 10.0.9.6177; email security appliance 8300 firmware: v < 10.0.9.6177; email security appliance 5000 firmware: v < 10.0.9.6177; email security appliance 7000 firmware: v < 10.0.9.6177; email security appliance 5050 firmware: v < 10.0.9.6177; email security appliance 7050 firmware: v < 10.0.9.6177; email security virtual appliance: v < 10.0.9.6177; hosted email security: v < 10.0.9.6173
Fixed in10.0.9
Real-world incidentsWhat we've seen

CISA confirms this CVE has been used in known ransomware campaigns. Added to the KEV catalog on 2021-11-03; federal agencies required to remediate by 2021-11-17.

How to patch

Manual remediation steps

1
Identify affected hosts: query inventory for network-security installs in scope.
2
Upgrade to version 10.0.9 or later. Stage in a test ring before broad deployment.
3
Verify by checking the installed version on a sample of remediated hosts.
4
Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-20023MSRC AdvisoryNVDVendor Advisory