← back
CVE-2021-20016

CVE-2021-20016

CVSS 9.8 CRITICALEPSS 40.0%● KEVCWE-89
In short

A SQL injection flaw in SonicWall SSLVPN SMA100 allows an attacker without login credentials to inject malicious SQL commands and steal usernames, passwords, and session data. This is critical because attackers can compromise user accounts and gain unauthorized access to the VPN system.

Technical detail

A SQL injection vulnerability (CWE-89) in SonicWall SSLVPN SMA100 build 10.x permits unauthenticated remote attackers to execute arbitrary SQL queries via improper input sanitization, enabling extraction of sensitive data including credentials and session tokens. The attack requires no prior authentication and affects the core authentication and session management components.

Summary generated and translated by AI from the official description.
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
SonicWall · SonicWall SMA100

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20016