The vulnerability was used in a chained attack along with two other post-authentication vulnerabilities #VU52039 and #VU52377 to fully compromise the affected system.
Advisory: SB2021041210 - Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)
Vulnerable component: SonicWall On-premise Email Security (ES)
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-287 - Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a тАЬrole.ouadminтАЭ account and authenticate to the application as an administrator.
Note, the vulnerability is being actively exploited in the wild.