IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2021-20038|Auth: none — unauthenticated|Reboot: required|Manual only

SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability (CVE-2021-20038)

SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.

Published Dec 8, 2021 · Updated May 17, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2022-02-11 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Stack-based Buffer Overflow (CWE-121) vulnerability in SonicWall SMA 100 Appliances. A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running sma 200 firmware: 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv; sma 210 firmware: 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv; sma 410 firmware: 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv; sma 400 firmware: 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv; sma 500v firmware: 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: https://github.com/jbaines-r7/badblood

How to patch

Manual remediation steps

1
Identify affected hosts: query inventory for network-security installs in scope.
2
Apply the vendor security update referenced in CVE-2021-20038's advisory. No specific KB/version is encoded yet — consult the linked MSRC/vendor URL.
3
Verify the fix per the vendor's published verification steps.
4
Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-20038MSRC AdvisoryNVDVendor Advisory