CVE-2024-53944

Published Feb 27, 2025

Last updated a month ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-53944 involves a command injection vulnerability found in certain Tuoshi/Dionlink 4G Wi-Fi devices, specifically those running firmware versions M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and M7628xUSAxUIv2_v1.0.1481.15.02_P0. The vulnerability exists in the `/goform/formJsonAjaxReq` endpoint, which doesn't properly sanitize shell metacharacters within JSON parameters. This flaw allows a remote, unauthenticated attacker with network access to inject and execute arbitrary operating system commands with root privileges. The vulnerability has been acknowledged by the vendor, Shenzhen Tuoshi Network Communications Co.,Ltd / Dionlink. The researcher who discovered this vulnerability is Edward Warren.

Description: An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Source: cve@mitre.org
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-94

Hype score: Not currently trending

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References