cbcvebase.
CVE-2024-53939
published 2024-12-02

CVE-2024-53939: An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple…

PriorityP261high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
2.85%
85.0th percentile
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint is vulnerable to command injection through the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute arbitrary commands on the device (with root-level permissions) via crafted input.

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/luci/admin/opsw/Dual_freq_un_apple
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:43; content:"/cgi-bin/luci/admin/opsw/Dual_freq_un_apple"; fast_pattern; http.request_body; pcre:"/\x22ssid(?:_5)?\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/actuator/cve/tree/main/Victure; reference:cve,2024-53939; classtype:attempted-admin; sid:2066601; rev:1; metadata:affected_product Victure, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_06, cve CVE_2024_53939, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to the exact URI path /cgi-bin/luci/admin/opsw/Dual_freq_un_apple (bsize:43 — exact URI length match).
  • Inspect the POST request body for JSON fields 'ssid' or 'ssid_5' whose values contain shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — these indicate command injection payloads.
  • Exploitation results in arbitrary command execution with root-level permissions on the device; alert on any unexpected outbound connections or process spawning from the router's CGI process following a POST to this endpoint.
  • Traffic is expected to be plaintext (HTTP, not HTTPS); deploy detection at the network perimeter and internally.
  • ·The vulnerability is specific to Victure RX1800 WiFi 6 Router running software version EN_V1.0.0_r12_110933 on hardware revision 1.0. Detections should be scoped to traffic destined for devices matching this profile.
  • ·The Snort/Suricata rule (sid:2066601) targets the destination IP ($HOME_NET) and is classified as attempted-admin with High confidence and Major severity; tune $HOME_NET to include router management IPs to reduce false positives.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.