CVE-2024-53944
📋 TL;DR
This CVE describes a critical command injection vulnerability in Tuoshi/Dionlink 4G Wi-Fi devices. Unauthenticated remote attackers can execute arbitrary operating system commands with root privileges by sending malicious JSON parameters to the /goform/formJsonAjaxReq endpoint. This affects LT15D and LT21B device models with specific firmware versions.
💻 Affected Systems
- Tuoshi LT15D 4G Wi-Fi Device
- Dionlink LT15D 4G Wi-Fi Device
- Tuoshi LT21B 4G Wi-Fi Device
- Dionlink LT21B 4G Wi-Fi Device
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, exfiltrate data, or use devices as botnet nodes.
Likely Case
Attackers will use compromised devices for cryptocurrency mining, DDoS attacks, credential harvesting, or as proxies for malicious activities.
If Mitigated
With proper network segmentation and access controls, impact is limited to the compromised device only.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available in GitHub repositories. The vulnerability requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch available. Check manufacturer website for firmware updates. If unavailable, implement workarounds immediately.
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to device management interfaces using firewall rules
iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP
Endpoint Isolation
allPlace affected devices in isolated network segments with no internet access
🧯 If You Can't Patch
- Immediately disconnect affected devices from the internet
- Replace vulnerable devices with alternative products from different vendors
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface at http://device-ip/status.html or via SSH if available. Compare against affected versions.Check Version:
curl -s http://device-ip/status.html | grep -o 'Firmware Version:[^<]*'Verify Fix Applied:
Test if /goform/formJsonAjaxReq endpoint still accepts malicious JSON payloads. Use curl with test payload: curl -X POST http://device-ip/goform/formJsonAjaxReq -H 'Content-Type: application/json' -d '{"test":"`id`"}'📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /goform/formJsonAjaxReq
- Shell command execution in system logs
- Unexpected process creation
Network Indicators:
- Outbound connections from devices to unknown IPs
- Unusual traffic patterns from device management ports
- POST requests with shell metacharacters in payload
SIEM Query:
source="device-logs" AND (url="/goform/formJsonAjaxReq" OR cmd="*sh*" OR process="*/bin/sh*")🔗 References
- http://www.tuoshi.net/productview.asp?id=218
- http://www.tuoshi.net/productview.asp?id=226
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944.txt
- https://github.com/actuator/cve/blob/main/Tuoshi/Firmware-M7628NNxISPv2xUI_v1.0.1802.10.08_P4-Blind-CMD-Injection-unauth-WAN.gif
- https://github.com/actuator/cve/blob/main/Tuoshi/CVE-2024-53944-Whitepaper.pdf
