CVE-2024-53945

Name of the Vulnerable Software and Affected Versions: KuWFi 4G AC900 LTE router version 1.0.13

Description: The KuWFi 4G AC900 LTE router is susceptible to command injection via the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges by injecting shell metacharacters into parameters like pincode and cmds. Successful exploitation can result in full system compromise, potentially including enabling remote access such as telnet.

Recommendations: KuWFi 4G AC900 LTE router version 1.0.13: As a temporary workaround, restrict access to the affected API endpoints /goform/formMultiApnSetting and /goform/atCmd to minimize the risk of exploitation.