CVE-2024-53944
Published: 27 February 2025
Summary
CVE-2024-53944 is a critical-severity Code Injection (CWE-94) vulnerability in Tuoshi (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the command injection vulnerability by requiring validity checks and sanitization of JSON parameters to block shell metacharacters.
Prevents unauthenticated remote attackers from accessing the vulnerable /goform/formJsonAjaxReq endpoint by mandating identification and authentication for non-organizational users.
Ensures timely identification, reporting, and correction of the specific command injection flaw, including patching affected firmware versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in unauthenticated web endpoint enables remote OS command execution (Unix shell) with root privileges on public-facing network device.
NVD Description
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via…
more
JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Deeper analysisAI
CVE-2024-53944 is a command injection vulnerability (CWE-94) affecting Tuoshi/Dionlink LT15D 4G Wi-Fi devices running firmware through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices running firmware through M7628xUSAxUIv2_v1.0.1481.15.02_P0. The vulnerability resides in the /goform/formJsonAjaxReq endpoint, which fails to properly sanitize shell metacharacters in JSON parameters. This flaw enables attackers to inject and execute arbitrary operating system commands with root privileges. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
An unauthenticated remote attacker with network access to the device can exploit this vulnerability by sending crafted JSON requests to the affected endpoint. Successful exploitation grants root-level command execution on the underlying operating system, potentially allowing full device compromise, including data exfiltration, persistent access, modification of configurations, or disruption of services.
References include product pages for the LT15D and LT21B devices on tuoshi.net, along with a GitHub repository containing a whitepaper, exploit details in CVE-2024-53944.txt, and a proof-of-concept GIF demonstrating blind command injection from the WAN side without authentication. No specific patches or mitigation guidance from vendors is detailed in the available information.
Details
- CWE(s)