{"uuid": "3a78340c-542b-4bfc-b0df-528e7c0a216f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-53944", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/5752", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-53944\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.\n\ud83d\udccf Published: 2025-02-27T00:00:00.000Z\n\ud83d\udccf Modified: 2025-02-27T19:20:12.221Z\n\ud83d\udd17 References:\n1. http://www.tuoshi.net/productview.asp?id=218\n2. http://www.tuoshi.net/productview.asp?id=226\n3. https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txt\n4. https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf\n5. https://github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gif", "creation_timestamp": "2025-02-27T19:25:48.000000Z"}