Cyber Resilience

CVE-2024-58314

HighPublic PoCRCE

Published: 12 December 2025

Published
12 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 45.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-58314 is a high-severity OS Command Injection (CWE-78) vulnerability in Atcom (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-58314 is an authenticated command injection vulnerability in Atcom 100M IP Phones firmware version 2.7.x.x. The issue affects the web configuration CGI script, web_cgi_main.cgi, where the 'cmd' parameter fails to properly sanitize input, allowing injection of arbitrary shell commands and enabling remote code execution with administrative credentials. Published on 2025-12-12, it is rated 8.8 on CVSS v3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Attackers require administrative credentials and network access to the device to exploit this vulnerability, which has low attack complexity and needs no user interaction. Exploitation allows execution of arbitrary system commands, resulting in remote code execution that compromises confidentiality, integrity, and availability at a high level.

Advisories from VulnCheck detail the authenticated command injection via the web configuration CGI, while Exploit-DB hosts a proof-of-concept exploit (ID 51742). The Atcom vendor page provides product information relevant to the affected Fast IP Phone series. No specific patch details are outlined in the provided references.

EU & UK References

Vulnerability details

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote…

more

code execution with administrative credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via authenticated command injection in a CGI script, directly facilitating arbitrary Unix shell command execution (T1059.004) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

Atcom
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of inputs like the 'cmd' parameter in web_cgi_main.cgi to prevent command injection (CWE-78).

prevent

Ensures timely identification, testing, and installation of firmware patches to remediate the command injection vulnerability.

prevent

Enforces least privilege on the web CGI process to limit the scope and impact of arbitrary command execution even with administrative credentials.

References