SonicWall has released security updates for their Email Security (ES) product to patch three zero-day vulnerabilities. There have been reports of active exploitation of these vulnerabilities.
The vulnerabilities are:
- CVE-2021-20021 — A pre-authentication administrative account creation vulnerability that allows an attacker to potentially create an administrative account by sending a crafted HTTP request to the remote host
- CVE-2021-20022 and CVE-2021-20023 — A post-authentication arbitrary file creation or read vulnerability that allows a post-authenticated attacker to potentially upload or read an arbitrary file on the remote host
These vulnerabilities have been fixed in ES versions 10.0.1, 10.0.2, 10.0.3 and 10.0.4-Present.
Administrators are advised to upgrade their ES appliances or software installation to the latest versions (10.0.9.6177 or 10.0.9.6173) immediately.
Organisations using legacy ES versions 7.0.0 - 9.2.2 with an active support license are strongly advised to upgrade to the latest ES version.
More information is available here: