Critical severity9.8NVD Advisory· Published Feb 27, 2025· Updated Apr 15, 2026

CVE-2024-53944

Description

An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.tuoshi.net/productview.aspnvd
www.tuoshi.net/productview.aspnvd
github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdfnvd
github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txtnvd
github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gifnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.014
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000