Home

Description

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.

PUBLISHED Reserved 2025-12-12 | Published 2025-12-12 | Updated 2025-12-12 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

2.7
affected

Credits

Mohammed Adel finder

References

www.exploit-db.com/exploits/51742 (ExploitDB-51742) exploit

www.atcom.cn/...ban/Product/Fast_IP_phone/2017/1023/135.html (Atcom IP Phone Webpage) product

www.vulncheck.com/...and-injection-via-web-configuration-cgi (VulnCheck Advisory: Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI) third-party-advisory

cve.org (CVE-2024-58314)

nvd.nist.gov (CVE-2024-58314)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.