CVE-2024-58314 HIGH

CVE-2024-58314: Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI

Vendor Atcom Technology Co., Ltd.
Product 100M IP Phones
Weakness CWE-78
Published December 12, 2025
Last update April 7, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials.

Key dates

02Disclosure timeline

December 12, 2025 CVE published
April 7, 2026 Record updated