Vulnerability Description
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- http://www.tuoshi.net/productview.asp?id=218
- http://www.tuoshi.net/productview.asp?id=226
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txt
- https://github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf
FAQ
What is CVE-2024-53944?
CVE-2024-53944 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote atta...
How severe is CVE-2024-53944?
CVE-2024-53944 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-53944?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.