SonicWall warns customers to patch 3 zero-days exploited in the wild


Security hardware manufacturer SonicWall is urging customers to patch a set of three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products.

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild,’” SonicWall said in a security advisory published earlier today.

The company said it’s “imperative” that organizations using its Email Security hardware appliances, virtual appliances, or software installations on Microsoft Windows Server machines immediately upgrade to a patched version.

The three zero-days were reported by Mandiant’s Josh Fleischer and Chris DiGiamo, and they are tracked as:

  • CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host (security updates released on April 9th)
  • CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host  (security updates released on April 9th)
  • CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read vulnerability that enables a post-authenticated attacker to read an arbitrary file from the remote host  (security updates released on April 19th)

Read more…