Security Advisory: On-Prem SonicWall Network Security Manager (NSM) Command Injection Vulnerability

First Published:05/25/2021

Last Updated:05/27/2021

May 27, 2021, 11:30 a.m. PDT.

SonicWall has validated and patched a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM). This vulnerability only impacts on-premises NSM deployments. SaaS versions of NSM are not affected.

This critical vulnerability potentially allows a user to execute commands on a device’s operating system with the highest system privileges (root).

SonicWall customers using the on-premises NSM versions outlined below should upgrade to the respective patched version immediately.

AFFECTED VERSION	PATCHED VERSION	PSIRT ADVISORY ID	APPLICABLE CVEs
Network Security Manager (NSM) 2.2.0-R10-H1 and earlier	Network Security Manager (NSM) 2.2.1-R6 Network Security Manager (NSM) 2.2.1-R6 (Enhanced)	SNWLID-2021-0014	CVE-2021-20026

Please reference the following knowledge base article for guidance on upgrading NSM firmware in on-premises deployments: How do I upgrade on-prem Network Security Manager firmware?

Please reach out to SonicWall Technical Support if you require assistance with the firmware upgrade process.

Resources:

Previous Alert

Product Advisory: Capture Client 3.6 Upgrade (May 20 Update)

Next Alert

Security Advisory: SonicOS Vulnerability in Firewall Web Management Interface

Security Advisory: On-Prem SonicWall Network Security Manager (NSM) Command Injection Vulnerability

May 27, 2021, 11:30 a.m. PDT.

연락처