cbcvebase.
CVE-2024-53944
published 2025-02-27

CVE-2024-53944: An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
39.25%
98.4th percentile
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.

Detection & IOCsextracted from sources · hover to see the quote

path/goform/formJsonAjaxReq
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/goform/formJsonAjaxReq"; http.request_body; content:"|22|action|22 3a 22|set_online|22|"; fast_pattern; pcre:"/\x22check_ip[12]\x22(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/actuator/cve/tree/main/Tuoshi; reference:cve,2024-53944; classtype:attempted-admin; sid:2066603; rev:1; metadata:affected_product Tuoshi, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_06, cve CVE_2024_53944, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target HTTP POST requests to the exact URI /goform/formJsonAjaxReq (bsize:23) on Tuoshi/Dionlink devices; the vulnerable endpoint does not sanitize shell metacharacters in JSON body parameters.
  • Inspect the HTTP request body for the JSON action value 'set_online' combined with parameters check_ip1 or check_ip2 containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The attack is unauthenticated and exploitable over plaintext HTTP from any network-accessible host; prioritize perimeter and internal deployment of detection rules.
  • Affected firmware versions to fingerprint in asset inventory: LT15D through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B through M7628xUSAxUIv2_v1.0.1481.15.02_P0.
  • ·The Snort/Suricata rule (sid:2066603) matches only plaintext HTTP traffic (tls_state plaintext); if the device is ever accessed over HTTPS/TLS, this rule will not fire and additional TLS-inspection coverage is needed.
  • ·The URI content match uses bsize:23, enforcing an exact URI length for /goform/formJsonAjaxReq; any path prefix or suffix added by a proxy or WAF rewrite could cause the rule to miss the attack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.