CVE-2021-20034

2021-09-2700:00:00

attackerkb.com

cve-2021-20034

sma100

access control

arbitrary file deletion

factory default settings

remote attacker

EPSS

0.641

Percentile

97.9%

JSON

An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.

Recent assessments:

jbaines-r7 at October 12, 2021 8:21pm UTC reported:

Beyond denial of service purposes, CVE-2021-20034 has limited attacker value due to the inability of the attacker to easily reboot the system post-exploitation. While the vulnerability could see use by destructive attackers, it’s unlikely to be used in any type of widespread campaign like previous SonicWall vulnerabilities. See the Rapid7 analysis for full details.

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4