Security News > 2021 > May > SonicWall Patches Command Injection Flaw in Firewall Management Application
SonicWall last week announced the availability of patches for a severe vulnerability in its Network Security Manager product.
NSM is a firewall management application that provides the ability to monitor and manage all network security services from a single interface, as well as to automate tasks to improve security operations.
SonicWall's platform is available both for on-premises deployments and as SaaS. Tracked as CVE-2021-20026 and featuring a CVSS score of 8.8, the recently patched vulnerability impacts on-premises versions of SonicWall NSM, but does not affect NSM SaaS versions.
The issue, SonicWall reveals in a security advisory, is an OS command injection flaw that could be exploited by an attacker who has already been able to authenticate to a vulnerable system.
"This critical vulnerability potentially allows a user to execute commands on a device's operating system with the highest system privileges," SonicWall explains.
The vulnerability impacts SonicWall NSM On-Prem 2.2.0-R10 and earlier releases, and was addressed with the release of NSM versions 2.2.1-R6 and 2.2.1-R6. In its advisory, SonicWall is urging all customers to apply the available patches as soon as possible, to ensure they remain protected.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-27 | CVE-2021-20026 | OS Command Injection vulnerability in Sonicwall Network Security Manager 2.2.0 A vulnerability in the SonicWall NSM On-Prem product allows an authenticated attacker to perform OS command injection using a crafted HTTP request. | 9.0 |