back caretBlog

Find SonicWall Vulnerabilities With an Inventory of Devices and Software

Update: the detector for CVE-2021-22893 is live.

SonicWall has confirmed three zero-day vulnerabilities (CVE-2021-20021; CVE-2021-20022; CVE-2021-20023) impacting its on-premises and hosted email security products. This is the third such disclosure this week, following similar zero day vulnerabilities in Juniper Networks (CVE-2021-0254) and Pulse Secure (CVE-2021-22893) products, which are more widely used.

The Pulse Secure VPN vulnerability is particularly urgent, and has already been used to break into the networks of dozens of organizations in the defense industrial industry. CISA has issued an emergency directive on the Pulse Secure CVE requiring Federal Civilian Branch Agencies to "enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency's behalf" and deploy the patch on every appliance.

The SonicWall vulnerabilities allow attackers to create administrative accounts and upload and read arbitrary files. With these "keys to the castle" the attackers have so far been able to collect and compress daily email archives managed by the SonicWall Email Security (ES) application. The Juniper Junos OS vulnerability allows for remote code execution.

These exploits are the latest in a recent surge in cyber attacks, including SolarWinds SUNBURST, in which the attackers successfully evaded log- and endpoint-based detection methods by targeting unmanaged and highly privileged devices.


When zero day exploits like these come to light, the most critical first step is to immediately understand what software and devices might be affected, and to identify whether any vulnerable devices are present in the organization's environment. This can be remarkably challenging because many organizations struggle to maintain an up-to-date inventory of devices in their environment. One must discover vulnerable devices on the network and either update their software to a non-vulnerable version or isolate these devices. Critical to the process of discovering one's vulnerability status is being able to detect software types and versions that devices are running and which need to be addressed.

Simultaneously, organizations that have vulnerable devices need the ability to detect any behavioral activity suggesting that the organization had been compromised before the patch was deployed. Organizations are often forced to choose between remaining vulnerable to a new CVE, or disabling business-critical applications, such as email security in the case of SonicWall. In either scenario, organizations are subject to business risks and lost productivity. The faster one can identify the level of vulnerability and whether one was compromised, the better one's chances of avoiding irrecoverable damage.

ExtraHop enables you to automatically discover and classify all networked devices, plus map connections and dependencies. You can identify hardware, operating systems, and software on your network, so you have a real-time view of what applications are running and what data is being shared on your network. This deep visibility is invaluable whenever new CVEs come to light. Not only does it ensure that you can identify and patch every device, it also ensures that you can track malicious activity associated with those devices and exploits.

See how to identify vulnerable devices and stop exploits in the Reveal(x) demo.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed