CVE-2021-36380
Published: 13 August 2021
Summary
CVE-2021-36380 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sunhillo Sureline. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Sunhillo SureLine versions prior to 8.7.0.1.1 contain an unauthenticated OS command injection vulnerability tracked as CVE-2021-36380 and CWE-78. The flaw resides in the network diagnostic functionality exposed by /cgi/networkDiag.cgi, where unsanitized input supplied to the ipAddr or dnsAddr parameters is passed directly to the system shell, allowing arbitrary command execution.
An attacker with network access can exploit the issue without authentication or user interaction by sending crafted HTTP requests containing shell metacharacters. Successful exploitation yields full control over the underlying operating system, resulting in complete compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.8 base score.
Public references include an NCC Group technical advisory that details the injection vector and affected endpoint, the vendor product page for SureLine, and CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Organizations should upgrade to version 8.7.0.1.1 or later and restrict network exposure of the management interface until patches are applied.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-22996
Vulnerability details
Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.
- CWE(s)
- KEV Date Added
- 05 March 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of ipAddr/dnsAddr inputs to block shell metacharacters before they reach the system shell in networkDiag.cgi.
Enforces authentication and authorization checks on the /cgi/networkDiag.cgi endpoint so unauthenticated requests cannot execute OS commands.
Boundary protection can restrict network access to the management interface, limiting exposure of the vulnerable diagnostic CGI until patched.