SonicWall Email Security zero-day vulnerabilities

SonicWall Email Security zero-day vulnerabilities

SonicWall has released urgent patches for Critical Email Security product zero-day vulnerabilities CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023.

In an urgent security alert, SonicWall released a security update on the threat on April 20, 2021:

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild.’ It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed below.”


Moreover, SonicWall Hosted Email Security (HES) was patched on April 19, 2021. So no action is needed for customers who use the hosted email security product.

Summary of CVEs patched:

  • CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation.
  • CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation.
  • CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read.

Patched versions of products:

  • Email Security – (Windows)
  • Email Security – (Hardware & ESXi Virtual Appliance)
  • Hosted Email Security – (patched automatically).

Each of these versions address affected Email Security product versions 10.0.1, 10.0.2, 10.0.3, 10.0.4 or newer.

Related Articles