Product Security Notice: SMA 100 Series Vulnerability Patches (Q4 2021)

First Published:12/01/2021 Last Updated:02/01/2022

SonicWall has verified and patched vulnerabilities of critical and medium severity (CVSS 5.3-9.8) in SMA 100 series appliances, which include SMA 200, 210, 400, 410 and 500v products. SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities.

IMPORTANT: There is no evidence that these vulnerabilities are being exploited in the wild.

Details for each patch can be found in PSIRT Advisory SNWLID-2021-0026.

SonicWall strongly urges that organizations follow the guidance below to patch SMA 100 series products, which include SMA 200, 210, 400, 410 and 500v appliances.


There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible. 


Organizations using SMA 100 series appliances should immediately log in to to upgrade their appliances to the patched firmware versions outlined below. For upgrade assistance, please reference the KB article, “How to Upgrade Firmware on SMA 100 Series Appliances” or contact SonicWall support.

Impacted Platform: SMA 100 Series
SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure)
ISSUE IDSummaryCVSS ScoreImpacted FirmwareFixed FirmwareCVE
SMA-3217Unauthenticated Stack-based Buffer Overflow9.8 High10.2.1.0-17sv (and earlier)

CVE-2021-20038 (and earlier) (and earlier)

SMA-3204Authenticated Command Injection Vulnerability as Root7.2 High9.0.0.11-31sv* (and earlier)

CVE-2021-20039 (and earlier) -19sv (and earlier)

SMA-3206Unauthenticated File Upload Path Traversal Vulnerability6.5 Medium10.2.0.8-37sv (and earlier)

CVE-2021-20040 -19sv (and earlier)

SMA-3207Unauthenticated CPU Exhaustion Vulnerability7.5 High9.0.0.11-31sv*

CVE-2021-20041 (and earlier) -19sv (and earlier)

SMA-3208Unauthenticated "Confused Deputy" Vulnerability6.3 Medium9.0.0.11-31sv* (and earlier)

CVE-2021-20042 (and earlier) -19sv (and earlier)

SMA-3231getBookmarks Heap-based Buffer Overflow8.8 High10.2.0.8-37sv (and earlier)

CVE-2021-20043 -19sv (and earlier)

SMA-3233Post-Authentication Remote Code Execution (RCE)7.2 High10.2.0.8-37sv (and earlier)

CVE-2021-20044 -19sv (and earlier)

SMA-3235Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows9.4 High10.2.0.8-37sv (and earlier)

CVE-2021-20045 -19sv (and earlier)

NOTE: Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions