CVE-2024-53944
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
27/02/2025
Last modified:
04/03/2025
Description
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
References to Advisories, Solutions, and Tools
- http://www.tuoshi.net/productview.asp?id=218
- http://www.tuoshi.net/productview.asp?id=226
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txt
- https://github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gif
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf