CVE-2024-39209
Description
luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
luci-app-sms-tool v1.9-6 contains a command injection vulnerability via the scode parameter, allowing unauthenticated remote code execution.
Vulnerability
Description
The luci-app-sms-tool plugin for OpenWrt, up to version 1.9-6, is vulnerable to OS command injection in the run_sms request handler. The vulnerability exists in the sms.lua controller file, where the scode parameter is passed unsanitized to a system command [1]. This allows an attacker to inject arbitrary commands.
Exploitation
An unauthenticated attacker can exploit this by sending a crafted GET request to /cgi-bin/luci/admin/modem/sms/run_sms with a malicious scode parameter. For example, the payload ; ls />/www/smstool123.txt # writes the output of ls to a publicly accessible file. The attack does not require authentication, and the attacker can execute any command [1][2].
Impact
Successful exploitation enables an attacker to execute arbitrary commands on the device with the privileges of the web server (typically root). This can lead to full compromise of the router, including data exfiltration, installation of malware, or denial of service.
Mitigation
As of the vulnerability disclosure, no patch has been released. The vendor was contacted but no fix is available. Users should monitor the project repository for updates or consider removing or restricting access to the luci-app-sms-tool plugin if not needed [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.9-6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.