CVE-2024-53944
Published: 27 February 2025
Summary
CVE-2024-53944 is a critical-severity Code Injection (CWE-94) vulnerability in Tuoshi (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-53944 is a command injection vulnerability affecting Tuoshi/Dionlink LT15D 4G Wi-Fi devices through firmware M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. The issue occurs at the /goform/formJsonAjaxReq endpoint, which fails to sanitize shell metacharacters supplied in JSON parameters and thereby permits arbitrary operating system command execution.
An unauthenticated remote attacker with network access can exploit the flaw to run commands as root, resulting in complete device compromise. The vulnerability is rated 9.8 under CVSS 3.1 and is also associated with CWE-94.
References consist of product pages and GitHub-hosted technical materials including a whitepaper and proof-of-concept demonstration, but contain no vendor statements on patches or mitigation steps. The EPSS score has remained flat at 0.1724 with no material rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6002
Vulnerability details
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via…
more
JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in unauthenticated web endpoint enables remote OS command execution (Unix shell) with root privileges on public-facing network device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the command injection vulnerability by requiring validity checks and sanitization of JSON parameters to block shell metacharacters.
Prevents unauthenticated remote attackers from accessing the vulnerable /goform/formJsonAjaxReq endpoint by mandating identification and authentication for non-organizational users.
Ensures timely identification, reporting, and correction of the specific command injection flaw, including patching affected firmware versions.