Critical severity9.8NVD Advisory· Published Feb 27, 2025· Updated Apr 15, 2026
CVE-2024-53944
CVE-2024-53944
Description
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: M7628NNxlSPv2xUI_v1.0.1802.10.08_P4
- Range: M7628xUSAxUIv2_v1.0.1481.15.02_P0
Patches
Vulnerability mechanics
References
5- www.tuoshi.net/productview.aspnvd
- www.tuoshi.net/productview.aspnvd
- github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdfnvd
- github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txtnvd
- github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gifnvd
News mentions
0No linked articles in our index yet.