Critical Vulnerabilities Of Network Security Devices Being Utilized By Mirai Botnet Malware


The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

  • CVE-2020-25506: D-Link DNS-320 firewall exploit
  • CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
  • CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
  • CVE-2020-26919: Netgear ProSAFE Plus exploit
  • CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
  • CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

  • CVE-2020-25506
    IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
  • CVE-2021-27561/CVE-2021-27562
    IPS:15456 Yealink DM Remote Code Execution
  • CVE-2021-22502
    IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
  • CVE-2019-19356
    IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
    This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
    IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
    IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
  • GAV signatures to cover malware samples:
    GAV: Mirai.LL
    GAV: Mirai.LL_1


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.