CVE-2024-53945
published 2025-08-14CVE-2024-53945: The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
19.05%
97.0th percentile
The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and cmds. Exploitation can lead to full system compromise, including enabling remote access (e.g., enabling telnet).
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kuwfi atCmd cmds Parameter Command Injection Attempt M2 (CVE-2024-53945)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/atCmd"; fast_pattern; http.request_body; content:"cmds|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/actuator/cve/blob/main/Kuwfi/CVE-2024-53945.txt; reference:cve,2024-53945; classtype:attempted-admin; sid:2066634; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kuwfi formMultiApnSetting pincode Parameter Command Injection Attempt M1 (CVE-2024-53945)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/formMultiApnSetting"; fast_pattern; http.request_body; content:"pincode|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/actuator/cve/blob/main/Kuwfi/CVE-2024-53945.txt; reference:cve,2024-53945; classtype:attempted-admin; sid:2066632; rev:1;)
- →Look for POST requests to /goform/atCmd with the 'cmds' parameter containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →Look for POST requests to /goform/formMultiApnSetting with the 'pincode' parameter containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →Exploitation can result in telnet being enabled on the device as a post-exploitation persistence/access mechanism; monitor for unexpected telnet service activation on LTE routers. ↗
- →Both Snort rules target plaintext HTTP traffic (tls_state plaintext) inbound to the home network; deploy at perimeter and internal network boundaries.
- ·Exploitation requires prior authentication; unauthenticated attackers cannot directly trigger the command injection. ↗
- ·The URI bsize match in both Snort rules is set to 27 bytes, which exactly matches '/goform/formMultiApnSetting' (27 chars) and '/goform/atCmd' — ensure your IDS/IPS does not truncate URI buffers before this length.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Kuwfi atCmd cmds Parameter Command Injection Attempt M2 (CVE-2024-53945)
suricata·2026-01-08·CVSS 8.8
CVE-2024-53945 [HIGH] ET WEB_SPECIFIC_APPS Kuwfi atCmd cmds Parameter Command Injection Attempt M2 (CVE-2024-53945)
ET WEB_SPECIFIC_APPS Kuwfi atCmd cmds Parameter Command Injection Attempt M2 (CVE-2024-53945)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kuwfi atCmd cmds Parameter Command Injection Attempt M2 (CVE-2024-53945)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/atCmd"; fast_pattern; http.request_body; content:"cmds|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/actuator/cve/blob/main/Kuwfi/CVE-2024-53945.txt; reference:cve,2024-53945; classtype:attempted-admin; sid:2066634; rev:1; metadata:affected_product Kuwfi, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_08, cve CVE_2024_53945, deployment Perimeter, depl
Suricata
ET WEB_SPECIFIC_APPS Kuwfi formMultiApnSetting pincode Parameter Command Injection Attempt M1 (CVE-2024-53945)
suricata·2026-01-08·CVSS 8.8
CVE-2024-53945 [HIGH] ET WEB_SPECIFIC_APPS Kuwfi formMultiApnSetting pincode Parameter Command Injection Attempt M1 (CVE-2024-53945)
ET WEB_SPECIFIC_APPS Kuwfi formMultiApnSetting pincode Parameter Command Injection Attempt M1 (CVE-2024-53945)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kuwfi formMultiApnSetting pincode Parameter Command Injection Attempt M1 (CVE-2024-53945)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/formMultiApnSetting"; fast_pattern; http.request_body; content:"pincode|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/actuator/cve/blob/main/Kuwfi/CVE-2024-53945.txt; reference:cve,2024-53945; classtype:attempted-admin; sid:2066632; rev:1; metadata:affected_product Kuwfi, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01
No public exploits indexed.
No writeups or analysis indexed.
2025-08-14
Published