CVE-2024-58314

HIGH

Atcom 100M IP Phones <2.7.x.x - Command Injection

Title source: llm

Description

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.

Exploits (1)

exploitdb WORKING POC

by Mohammed Adel · textremotehardware

https://www.exploit-db.com/exploits/51742

View Code ZIP pw:eip

References (3)

[Various Sources] https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51742

[Third Party Advisory] https://www.vulncheck.com/advisories/atcom-xx-authenticated-command-injection-via-web-configuration-cgi

Scores

CVSS v3 8.8

EPSS 0.0041

EPSS Percentile 61.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

ATCOM Technology co., LTD./100M IP Phones 2.7

Published Dec 12, 2025

Tracked Since Feb 18, 2026