CVE-2024-53944
published 2025-02-27CVE-2024-53944: An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
39.25%
98.4th percentile
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/formJsonAjaxReq"; http.request_body; content:"|22|action|22 3a 22|set_online|22|"; fast_pattern; pcre:"/\x22check_ip[12]\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/actuator/cve/tree/main/Tuoshi; reference:cve,2024-53944; classtype:attempted-admin; sid:2066603; rev:1; metadata:affected_product Tuoshi, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_06, cve CVE_2024_53944, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target HTTP POST requests to the exact URI /goform/formJsonAjaxReq (bsize:23) on Tuoshi/Dionlink devices; the vulnerable endpoint does not sanitize shell metacharacters in JSON body parameters. ↗
- →Inspect the HTTP request body for the JSON action value 'set_online' combined with parameters check_ip1 or check_ip2 containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The attack is unauthenticated and exploitable over plaintext HTTP from any network-accessible host; prioritize perimeter and internal deployment of detection rules. ↗
- →Affected firmware versions to fingerprint in asset inventory: LT15D through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B through M7628xUSAxUIv2_v1.0.1481.15.02_P0. ↗
- ·The Snort/Suricata rule (sid:2066603) matches only plaintext HTTP traffic (tls_state plaintext); if the device is ever accessed over HTTPS/TLS, this rule will not fire and additional TLS-inspection coverage is needed.
- ·The URI content match uses bsize:23, enforcing an exact URI length for /goform/formJsonAjaxReq; any path prefix or suffix added by a proxy or WAF rewrite could cause the rule to miss the attack.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3r6h-cmr9-36j6: An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1
ghsa_unreviewed·2025-02-27
CVE-2024-53944 [CRITICAL] CWE-94 GHSA-3r6h-cmr9-36j6: An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
VulnCheck
Improper Control of Generation of Code ('Code Injection')
vulncheck·2024·CVSS 9.8
CVE-2024-53944 [CRITICAL] Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection')
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Affected: Tuoshi/Dionlink LT15D 4G Wi-Fi Devices
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/
Suricata
ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944)
suricata·2026-01-06·CVSS 9.8
CVE-2024-53944 [CRITICAL] ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944)
ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/formJsonAjaxReq"; http.request_body; content:"|22|action|22 3a 22|set_online|22|"; fast_pattern; pcre:"/\x22check_ip[12]\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/actuator/cve/tree/main/Tuoshi; reference:cve,2024-53944; classtype:attempted-admin; sid:2066603; rev:1; metadata:affected_product Tuoshi, attack_target Networking_Equipment, tls_stat
No public exploits indexed.
http://www.tuoshi.net/productview.asp?id=218http://www.tuoshi.net/productview.asp?id=226https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdfhttps://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txthttps://github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gifhttps://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf
2025-02-27
Published
Exploited in the wild