CVE-2024-58314

HIGH

Atcom 100M IP Phones <2.7.x.x - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58314. PoCs published by Mohammed Adel.

AI-analyzed exploit summary This exploit demonstrates an authenticated command injection vulnerability in Atcom IP phones. The PoC sends a crafted POST request to execute arbitrary commands via the `cmd` parameter, with the output encoded in base64.

Description

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.

Exploits (1)

exploitdb WORKING POC
by Mohammed Adel · textremotehardware
https://www.exploit-db.com/exploits/51742

This exploit demonstrates an authenticated command injection vulnerability in Atcom IP phones. The PoC sends a crafted POST request to execute arbitrary commands via the `cmd` parameter, with the output encoded in base64.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Atcom IP Phone 2.7.x.x
Auth required
Prerequisites: Valid admin credentials · Access to the web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0023
EPSS Percentile 45.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
ATCOM Technology co., LTD./100M IP Phones 2.7
Published Dec 12, 2025
Tracked Since Feb 18, 2026