CVE-2024-58314

HIGH 8.8

Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.

CWE	CWE-78
Vendor	atcom technology co., ltd.
Product	100m ip phones
Published	Dec 12, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for atcom technology co., ltd. 100m ip phones

Be the first to know when new high vulnerabilities affecting atcom technology co., ltd. 100m ip phones are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

ATCOM Technology co., LTD. / 100M IP Phones

2.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/51742 atcom.cn: https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html vulncheck.com: https://www.vulncheck.com/advisories/atcom-xx-authenticated-command-injection-via-web-configuration-cgi

Credits

Mohammed Adel