CVE-2024-53944
Published: 27 February 2025
Description
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Security Summary
CVE-2024-53944 is a command injection vulnerability (CWE-94) affecting Tuoshi/Dionlink LT15D 4G Wi-Fi devices running firmware through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices running firmware through M7628xUSAxUIv2_v1.0.1481.15.02_P0. The vulnerability resides in the /goform/formJsonAjaxReq endpoint, which fails to properly sanitize shell metacharacters in JSON parameters. This flaw enables attackers to inject and execute arbitrary operating system commands with root privileges. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
An unauthenticated remote attacker with network access to the device can exploit this vulnerability by sending crafted JSON requests to the affected endpoint. Successful exploitation grants root-level command execution on the underlying operating system, potentially allowing full device compromise, including data exfiltration, persistent access, modification of configurations, or disruption of services.
References include product pages for the LT15D and LT21B devices on tuoshi.net, along with a GitHub repository containing a whitepaper, exploit details in CVE-2024-53944.txt, and a proof-of-concept GIF demonstrating blind command injection from the WAN side without authentication. No specific patches or mitigation guidance from vendors is detailed in the available information.
Details
- CWE(s)