Description
/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Atlona AT-OME-MS42 Matrix Switcher 1.1.2 contains a flaw in the /cgi-bin/time.cgi handler that allows an authenticated user to send a crafted POST request containing a serverName parameter. This flaw enables the remote execution of arbitrary commands on the device’s operating system with root privileges.

Affected Systems

Atlona AT-OME-MS42 Matrix Switcher running firmware version 1.1.2.

Risk and Exploitability

This vulnerability provides a direct path for authenticated users to execute any command as root. Because the flaw is triggered by a simple HTTP POST request over the network, an attacker who can gain valid authentication credentials can compromise the entire device. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, so the current exploitation probability is unknown, but the impact of root-level execution is severe. The likely attack vector is an authenticated remote request to the affected CGI endpoint.

Generated by OpenCVE AI on May 8, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Atlona’s support or update portal for a firmware patch that addresses the time.cgi flaw and apply it when available.
  • Restrict network access to the /cgi-bin/time.cgi endpoint using firewall rules or ACLs so that only trusted management networks can reach it.
  • Implement strong authentication practices and follow the principle of least privilege by removing unnecessary administrative accounts and limiting root access to the device.
  • Consider isolating the switcher from critical networks through segmentation or by placing it behind a dedicated management subnet to reduce the exposure of the vulnerable endpoint.

Generated by OpenCVE AI on May 8, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Remote Command Execution via /cgi-bin/time.cgi in Atlona AT-OME-MS42
Weaknesses CWE-78

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description /cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T05:00:46.796Z

Reserved: 2024-03-24T00:00:00.000Z

Link: CVE-2024-30167

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T06:16:09.160

Modified: 2026-05-08T06:16:09.160

Link: CVE-2024-30167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T07:00:04Z

Weaknesses