Cyber Resilience

CVE-2007-3010

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 18 September 2007

Published
18 September 2007
Modified
21 April 2026
KEV Added
15 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9413 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2007-3010 is a critical-severity Command Injection (CWE-77) vulnerability in Al-Enterprise Omnipcx Enterprise Communication Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a command injection flaw (CWE-77) in the masterCGI component of the Unified Maintenance Tool shipped with Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier. Untrusted input supplied in the user parameter is passed directly to the system shell during a ping action, allowing arbitrary command execution.

Unauthenticated remote attackers can exploit the issue over the network by submitting shell metacharacters in a crafted request to the affected CGI. Successful exploitation grants the ability to run commands with the privileges of the web server process, resulting in full system compromise as reflected by the CVSS 3.1 base score of 9.8.

Multiple public advisories and disclosure postings reference the flaw, including entries from RedTeam Pentesting, Secunia, OSVDB, and Full-Disclosure archives, but the supplied references contain no explicit mitigation steps or patch details.

EU & UK References

Vulnerability details

masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action.

CWE(s)
KEV Date Added
15 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

al-enterprise
omnipcx enterprise communication server
≤ 7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes the untrusted user parameter before it reaches the shell, directly blocking the command-injection vector in masterCGI.

prevent

Enforces authorization checks on the ping action so that unauthenticated remote requests cannot invoke the vulnerable CGI.

prevent

Constrains the web-server process to minimal privileges, limiting the scope of arbitrary commands that can be executed after successful injection.

References