CVE-2024-53939
published 2024-12-02CVE-2024-53939: An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple…
PriorityP261high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
2.85%
85.0th percentile
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint is vulnerable to command injection through the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute arbitrary commands on the device (with root-level permissions) via crafted input.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:43; content:"/cgi-bin/luci/admin/opsw/Dual_freq_un_apple"; fast_pattern; http.request_body; pcre:"/\x22ssid(?:_5)?\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/actuator/cve/tree/main/Victure; reference:cve,2024-53939; classtype:attempted-admin; sid:2066601; rev:1; metadata:affected_product Victure, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_06, cve CVE_2024_53939, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP POST requests to the exact URI path /cgi-bin/luci/admin/opsw/Dual_freq_un_apple (bsize:43 — exact URI length match). ↗
- →Inspect the POST request body for JSON fields 'ssid' or 'ssid_5' whose values contain shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — these indicate command injection payloads.
- →Exploitation results in arbitrary command execution with root-level permissions on the device; alert on any unexpected outbound connections or process spawning from the router's CGI process following a POST to this endpoint. ↗
- →Traffic is expected to be plaintext (HTTP, not HTTPS); deploy detection at the network perimeter and internally.
- ·The vulnerability is specific to Victure RX1800 WiFi 6 Router running software version EN_V1.0.0_r12_110933 on hardware revision 1.0. Detections should be scoped to traffic destined for devices matching this profile. ↗
- ·The Snort/Suricata rule (sid:2066601) targets the destination IP ($HOME_NET) and is classified as attempted-admin with High confidence and Major severity; tune $HOME_NET to include router management IPs to reduce false positives.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939)
suricata·2026-01-06·CVSS 8.8
CVE-2024-53939 [HIGH] ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939)
ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:43; content:"/cgi-bin/luci/admin/opsw/Dual_freq_un_apple"; fast_pattern; http.request_body; pcre:"/\x22ssid(?:_5)?\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/actuator/cve/tree/main/Victure; reference:cve,2024-53939; classtype:attempted-admin; sid:2066601; rev:1; metadata:affected_product Victure, attack_target Networking_Equipment, tls_state pla
No public exploits indexed.
No writeups or analysis indexed.
2024-12-02
Published