CVE-2024-58314

HighPublic PoC

Published: 12 December 2025

Published

12 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote…

code execution with administrative credentials.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of inputs like the 'cmd' parameter in web_cgi_main.cgi to prevent command injection (CWE-78).

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, testing, and installation of firmware patches to remediate the command injection vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the web CGI process to limit the scope and impact of arbitrary command execution even with administrative credentials.

Security SummaryAI

CVE-2024-58314 is an authenticated command injection vulnerability in Atcom 100M IP Phones firmware version 2.7.x.x. The issue affects the web configuration CGI script, web_cgi_main.cgi, where the 'cmd' parameter fails to properly sanitize input, allowing injection of arbitrary shell commands and enabling remote code execution with administrative credentials. Published on 2025-12-12, it is rated 8.8 on CVSS v3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Attackers require administrative credentials and network access to the device to exploit this vulnerability, which has low attack complexity and needs no user interaction. Exploitation allows execution of arbitrary system commands, resulting in remote code execution that compromises confidentiality, integrity, and availability at a high level.

Advisories from VulnCheck detail the authenticated command injection via the web configuration CGI, while Exploit-DB hosts a proof-of-concept exploit (ID 51742). The Atcom vendor page provides product information relevant to the affected Fast IP Phone series. No specific patch details are outlined in the provided references.

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via authenticated command injection in a CGI script, directly facilitating arbitrary Unix shell command execution (T1059.004) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51742
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/atcom-xx-authenticated-command-injection-via-web-configuration-cgi
disclosure@vulncheck.com