Cyber Resilience

CVE-2024-53945

HighRCE

Published: 14 August 2025

Published
14 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0182 83.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53945 is a high-severity Command Injection (CWE-77) vulnerability in Kuwfi (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-53945 is a command injection vulnerability (CWE-77) affecting the KuWFi 4G AC900 LTE router running firmware version 1.0.13. The flaw exists in the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd, where shell metacharacters injected into parameters such as pincode and cmds are executed as arbitrary OS commands with root privileges. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with low privileges and network access to the router can exploit this vulnerability without user interaction. Successful exploitation allows execution of arbitrary commands as root, leading to full system compromise. Attackers can achieve outcomes such as enabling remote access services like telnet, granting persistent backdoor access.

Advisories and additional details are available in referenced sources, including a GitHub repository at https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2024-53945.txt and the related tree at https://github.com/actuator/cve/tree/main/Kuwfi, as well as the product page at https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port. No specific patch or mitigation guidance is detailed in the provided information.

EU & UK References

Vulnerability details

The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and…

more

cmds. Exploitation can lead to full system compromise, including enabling remote access (e.g., enabling telnet).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection in network-exposed HTTP API endpoints directly enables remote OS command execution as root from low-priv authenticated access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64424Shared CWE-77
CVE-2026-38703Shared CWE-77
CVE-2026-38702Shared CWE-77
CVE-2025-22939Shared CWE-77
CVE-2025-22941Shared CWE-77
CVE-2026-20094Shared CWE-77
CVE-2026-3519Shared CWE-77
CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77

Affected Assets

Kuwfi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation of inputs to vulnerable HTTP API endpoints like /goform/formMultiApnSetting and /goform/atCmd to reject shell metacharacters.

prevent

Mandates timely flaw remediation, such as applying firmware patches for CVE-2024-53945, to eliminate the command injection vulnerability.

prevent

Restricts information inputs at API parameters like pincode and cmds to authorized formats, blocking shell metacharacters and preventing arbitrary command execution.

References