Cyber Resilience

CVE-2024-53944

CriticalRCE

Published: 27 February 2025

Published
27 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1724 95.2th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53944 is a critical-severity Code Injection (CWE-94) vulnerability in Tuoshi (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-53944 is a command injection vulnerability affecting Tuoshi/Dionlink LT15D 4G Wi-Fi devices through firmware M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. The issue occurs at the /goform/formJsonAjaxReq endpoint, which fails to sanitize shell metacharacters supplied in JSON parameters and thereby permits arbitrary operating system command execution.

An unauthenticated remote attacker with network access can exploit the flaw to run commands as root, resulting in complete device compromise. The vulnerability is rated 9.8 under CVSS 3.1 and is also associated with CWE-94.

References consist of product pages and GitHub-hosted technical materials including a whitepaper and proof-of-concept demonstration, but contain no vendor statements on patches or mitigation steps. The EPSS score has remained flat at 0.1724 with no material rise observed.

EU & UK References

Vulnerability details

An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via…

more

JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in unauthenticated web endpoint enables remote OS command execution (Unix shell) with root privileges on public-facing network device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29955Shared CWE-94
CVE-2024-55964Shared CWE-94
CVE-2026-20045Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-23921Shared CWE-94
CVE-2024-44722Shared CWE-94
CVE-2026-25001Shared CWE-94
CVE-2025-25680Shared CWE-94
CVE-2026-43680Shared CWE-94
CVE-2024-54804Shared CWE-94

Affected Assets

Tuoshi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability by requiring validity checks and sanitization of JSON parameters to block shell metacharacters.

prevent

Prevents unauthenticated remote attackers from accessing the vulnerable /goform/formJsonAjaxReq endpoint by mandating identification and authentication for non-organizational users.

preventrecover

Ensures timely identification, reporting, and correction of the specific command injection flaw, including patching affected firmware versions.

References