CVE-2024-58314
Unknown Unknown - Not Provided
Authenticated Command Injection in Atcom 100M IP Phone Firmware

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: VulnCheck

Description
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-14
NVD
CVE-2024-58314
EUVD
EUVD-2024-55349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
atcom 100m_ip_phones 2.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by sending an authenticated POST request to the endpoint `/cgi-bin/web_cgi_main.cgi?user_get_phone_ping` with a specially crafted payload in the `cmd` parameter to test for command injection. For example, a command injection test payload like `0.0.0.0$(pwd)` can be used. The response will include a base64-encoded result in the JSON field `ping_cmd_result`, which when decoded reveals the output of the injected command, confirming the vulnerability. The request must include an Authorization header using Digest authentication with valid administrative credentials. [2]

Mitigation Strategies

Immediate mitigation steps include restricting administrative access to the web configuration interface of Atcom 100M IP Phones, ensuring only trusted and authenticated users can access it. Applying firmware updates or patches from Atcom, if available, is recommended. Additionally, monitoring and limiting network access to the device's management interface and employing network segmentation can reduce exposure. Since the vulnerability requires administrative credentials, enforcing strong password policies and multi-factor authentication can help mitigate risk. [1, 2]

Executive Summary

This vulnerability exists in Atcom 100M IP Phones firmware version 2.7.x.x. It is an authenticated command injection flaw in the web configuration CGI script, specifically through the 'cmd' parameter in web_cgi_main.cgi. Attackers with administrative credentials can inject arbitrary shell commands, leading to remote code execution on the device.

Impact Analysis

If exploited, this vulnerability allows an attacker with administrative access to execute arbitrary system commands remotely on the affected IP phone. This can lead to full compromise of the device, unauthorized control, data theft, disruption of service, or use of the device as a pivot point for further attacks within the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58314. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart