CVE-2024-58314
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ATCOM Technology co., LTD. | 100M IP Phones | 2.7 | affected |
Weaknesses
- CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/51742
- https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
- https://www.vulncheck.com/advisories/atcom-xx-authenticated-command-injection-via-web-configuration-cgi
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.