CVE-2024-30167 - Vulnerability Details

- Remote Command Execution via /cgi-bin/time.cgi on Atlona Matrix Switcher

Description

/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.

Published: 2026-05-08

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Atlona AT‑OME‑MS42 Matrix Switcher firmware 1.1.2 contains a flaw in the /cgi‑bin/time.cgi script that accepts a serverName parameter in a POST request. When an authenticated user sends this payload, the script executes the value as an operating‑system command with root privileges, granting the attacker the ability to run arbitrary commands on the device. This vulnerability represents a classic command injection problem and is further compounded by parameter injection (CWE‑77).

Affected Systems

The flaw affects Atlona AT‑OME‑MS42 Matrix Switcher devices running firmware version 1.1.2. No other firmware versions are mentioned, and no additional vendors or products are listed.

Risk and Exploitability

The vulnerability allows logged‑in administrators to elevate privileges and run arbitrary commands with root access. Although the EPSS score is below 1 %, indicating a low probability of exploitation, the CVSS score of 6.3 reflects moderate severity. The flaw is not currently listed in the CISA KEV catalog. Because the attack requires valid credentials, an adversary must first obtain or compromise credentials before the vulnerability can be exploited. Once authenticated, the impact is severe: full control of the switcher, potential network disruption, and data compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Atlona

At-ome-ms42

100%

Version	Status	Scheme	Platform
`1.1.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Atlona AT‑OME‑MS42 Matrix Switcher to a firmware version that fixes the command injection flaw in /cgi‑bin/time.cgi. If a new release is not yet available, contact Atlona support for guidance on applying the fix.
Restrict network access to the /cgi‑bin/time.cgi endpoint by implementing firewall or ACL rules so that only trusted management hosts can reach it.
Enforce strong authentication practices for the switcher, including password complexity, account lockout, and, where possible, multi‑factor authentication, and limit administrative accounts to personnel who truly need them.
Place the switcher on a dedicated management subnet or network segment to reduce its exposure to untrusted traffic.

Generated by OpenCVE AI on May 8, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00295.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/285733

History

Mon, 11 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Atlona Atlona at-ome-ms42
Vendors & Products		Atlona Atlona at-ome-ms42

Fri, 08 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Command Execution via /cgi-bin/time.cgi on Atlona Matrix Switcher

Fri, 08 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title	Remote Command Execution via /cgi-bin/time.cgi in Atlona AT-OME-MS42
Weaknesses	CWE-78

Fri, 08 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 07:15:00 +0000

Type	Values Removed	Values Added
Title		Remote Command Execution via /cgi-bin/time.cgi in Atlona AT-OME-MS42
Weaknesses		CWE-78

Fri, 08 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
References		https://exchange.xforce.ibmcloud.com/vulnerabilities/285733

Subscriptions

Atlona At-ome-ms42

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-08T00:00:00.000Z

Updated: 2026-05-08T14:09:36.933Z

Reserved: 2024-03-24T00:00:00.000Z

Link: CVE-2024-30167

Vulnrichment

Updated: 2026-05-08T14:09:32.719Z

NVD

Status : Awaiting Analysis

Published: 2026-05-08T06:16:09.160

Modified: 2026-05-08T16:02:14.343

Link: CVE-2024-30167

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T16:11:47Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object