cbcvebase.
CVE-2021-36380
published 2021-08-13

CVE-2021-36380: Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-03-26
Exploited in the wild
EPSS
97.60%
99.9th percentile
Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.

Affected

1 ranges
VendorProductVersion rangeFixed in
sunhillosureline< 8.7.0.1.18.7.0.1.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi/networkDiag.cgi
commandPOST /cgi/networkDiag.cgi HTTP/1.1
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|24 28|
  • Exploit arrives as an HTTP POST to /cgi/networkDiag.cgi with shell metacharacters (e.g., $() subshell syntax) injected into the dnsAddr parameter. Body starts with 'command=' and contains both '&ipAddr=' and '&dnsAddr=$(' fields.
  • The Snort/ET rule keys on the byte sequence |24 28| (ASCII for '$(' — the start of a shell command substitution) immediately following '&dnsAddr=' in the POST body. Use this as a fast-pattern anchor.
  • Exploitation can result in outbound reverse TCP connections or outbound HTTP requests (e.g., wget) from the SureLine device to attacker-controlled infrastructure. Monitor for unexpected outbound connections originating from SureLine hosts.
  • CISA KEV notes the vulnerability is also used for persistence on the network, not just one-time RCE. Treat any confirmed exploitation as a potential persistence indicator requiring full host investigation.
  • ·The vulnerability is unauthenticated — no session token or credential is required to exploit it. Detection rules must not rely on authentication-failure events as a precursor.
  • ·Both the ipAddr and dnsAddr POST parameters are injectable. Detection logic should cover shell metacharacters in either parameter, not just dnsAddr.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.