Cyber Resilience

CVE-2021-36380

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 13 August 2021

Published
13 August 2021
Modified
05 November 2025
KEV Added
05 March 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9364 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-36380 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sunhillo Sureline. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Sunhillo SureLine versions prior to 8.7.0.1.1 contain an unauthenticated OS command injection vulnerability tracked as CVE-2021-36380 and CWE-78. The flaw resides in the network diagnostic functionality exposed by /cgi/networkDiag.cgi, where unsanitized input supplied to the ipAddr or dnsAddr parameters is passed directly to the system shell, allowing arbitrary command execution.

An attacker with network access can exploit the issue without authentication or user interaction by sending crafted HTTP requests containing shell metacharacters. Successful exploitation yields full control over the underlying operating system, resulting in complete compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.8 base score.

Public references include an NCC Group technical advisory that details the injection vector and affected endpoint, the vendor product page for SureLine, and CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Organizations should upgrade to version 8.7.0.1.1 or later and restrict network exposure of the management interface until patches are applied.

EU & UK References

Vulnerability details

Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.

CWE(s)
KEV Date Added
05 March 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sunhillo
sureline
≤ 8.7.0.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of ipAddr/dnsAddr inputs to block shell metacharacters before they reach the system shell in networkDiag.cgi.

prevent

Enforces authentication and authorization checks on the /cgi/networkDiag.cgi endpoint so unauthenticated requests cannot execute OS commands.

prevent

Boundary protection can restrict network access to the management interface, limiting exposure of the vulnerable diagnostic CGI until patched.

References