Sunhillo SureLine Command Injection Attack

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

The vulnerability exists in the Sureline software due to improper input validation in the "ipAddr" and "dnsAddr" parameters. That allows an attacker to manipulate the resulting command by injecting valid OS command input allowing the establishment of an interactive remote shell session.

Since October 2023, the FortiGuard has protection coverage against the vulnerability. Exploitation attempts has been intercepting attack attempts averaging at a thousand per day. Also, the Mirai malware are used as a payload for further infiltration. It is recommended to apply a firmware patch as recommended by the vendor to fully mitigate any risks.

Apr 10, 2024: A video walkthrough has been added to the Outbreak Alert.

Apr 9, 2024: FortiGuard published an Outbreak Alert for the Sunhillo SureLine Command Injection Attack.

Mar 5, 2024: CISA has added CVE-2021-36380 to the Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Oct 30, 2023: Fortinet published an IPS signatures to protect its customers from attack attempt.

Oct 09, 2023: FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign targeted Sunhillo SureLine and released a detailed analysis.
https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

July 22, 2021: Sunhillo published the security bulletin and a patch notice. https://www.sunhillo.com/fb011/