CVE-2024-30167 Overview
CVE-2024-30167 is a command injection vulnerability [CWE-77] in the Atlona AT-OME-MS42 Matrix Switcher running firmware version 1.1.2. The flaw resides in the /cgi-bin/time.cgi endpoint, which fails to sanitize the serverName parameter received in POST requests. Authenticated remote attackers can inject arbitrary operating system commands that execute with root privileges. Successful exploitation gives an attacker full control of the embedded device, including the ability to modify configuration, intercept signal routing, and pivot into adjacent network segments.
Critical Impact
Authenticated attackers can execute arbitrary commands as root on affected Atlona AT-OME-MS42 Matrix Switchers, leading to full device compromise.
Affected Products
- Atlona AT-OME-MS42 Matrix Switcher firmware version 1.1.2
- Web management interface (/cgi-bin/time.cgi)
- Deployments exposing the management interface to untrusted networks
Discovery Timeline
- 2026-05-08 - CVE-2024-30167 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2024-30167
Vulnerability Analysis
The Atlona AT-OME-MS42 is a 4x2 HDMI matrix switcher with an embedded web management interface. The /cgi-bin/time.cgi script handles Network Time Protocol (NTP) configuration changes submitted from the administrative UI. The script accepts a serverName parameter that is passed to an underlying shell context without proper validation or escaping. An authenticated user who submits a crafted POST request can break out of the expected argument boundary and append arbitrary commands. Because the web server and CGI handlers run as the root user on the embedded Linux system, every injected command executes with full administrative privileges. The exploit-db entry confirms the issue is reachable from any account that can reach the management interface and authenticate.
Root Cause
The root cause is improper neutralization of special elements used in an operating system command [CWE-77]. The time.cgi script concatenates the attacker-controlled serverName value into a shell invocation without escaping shell metacharacters such as ;, |, &, or backticks. The CGI binary trusts post-authentication input and performs no allow-list validation on the hostname field.
Attack Vector
Exploitation requires network reachability to the device's HTTP management interface and valid credentials, which lowers but does not eliminate the attack surface given that many deployments retain default credentials. The attacker sends a POST request to /cgi-bin/time.cgi containing a serverName value such as a legitimate hostname followed by a shell separator and the chosen payload. The injected command runs synchronously as root, allowing the attacker to write SSH keys, spawn a reverse shell, modify firmware partitions, or disable logging. Public proof-of-concept material is referenced in the IBM X-Force vulnerability entry, and an entry exists in the Exploit-DB catalog.
Detection Methods for CVE-2024-30167
Indicators of Compromise
- POST requests to /cgi-bin/time.cgi containing shell metacharacters (;, |, &, $(), backticks) inside the serverName field.
- Unexpected outbound connections from the matrix switcher's management interface to unknown hosts.
- New or modified files in writable filesystem locations on the device, including added SSH authorized_keys entries.
- NTP configuration changes that were not initiated by an authorized administrator.
Detection Strategies
- Inspect HTTP traffic destined for the device using deep packet inspection rules that flag non-hostname characters in the serverName POST parameter.
- Capture and review web server access logs from the device for anomalous request bodies targeting /cgi-bin/time.cgi.
- Correlate authentication events on the switcher with subsequent configuration changes to identify abuse of valid credentials.
Monitoring Recommendations
- Place the matrix switcher behind a management VLAN and log all north-south traffic to the device for retrospective analysis.
- Forward syslog from the device, if supported, to a centralized logging platform and alert on root-shell command execution.
- Establish a network behavior baseline for the device so that unexpected egress connections trigger investigation.
How to Mitigate CVE-2024-30167
Immediate Actions Required
- Restrict access to the management interface to a dedicated administrative network segment using firewall ACLs.
- Rotate all administrative credentials on affected AT-OME-MS42 devices and remove any default accounts.
- Audit the device for unauthorized changes, including SSH keys, cron entries, and modified NTP settings.
- Disable remote management entirely on devices that do not require it.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Operators should monitor Atlona's product support pages for firmware updates superseding version 1.1.2 and apply them as soon as they become available.
Workarounds
- Block external access to TCP ports hosting the web management interface using upstream network controls.
- Require VPN or jump-host access for administrators connecting to the matrix switcher's management plane.
- Enforce strong, unique passwords on every account permitted to access the device to reduce the chance of authenticated abuse.
- Monitor the IBM X-Force advisory for updated mitigation guidance.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
