CVE-2024-53944

Published: Feb 27, 2025Modified: Jun 17, 2026Deferred

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

http://www.tuoshi.net/productview.asp?id=218

Source: cve@mitre.org

http://www.tuoshi.net/productview.asp?id=226

Source: cve@mitre.org

https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf

Source: cve@mitre.org

https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txt

Source: cve@mitre.org

https://github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gif

Source: cve@mitre.org

https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.