CVE-2024-30167: Atlona Matrix Switcher Flaw Lets Authenticated Users

Executive Summary

A command injection vulnerability in the Atlona AT-OME-MS42 Matrix Switcher, tracked as CVE-2024-30167, allows remote authenticated users to execute arbitrary operating system commands with root privileges. The flaw resides in the /cgi-bin/time.cgi endpoint, which fails to sanitize user-supplied input passed via a POST request's serverName parameter. Atlona has assigned the issue a CVSS v3.1 base score of 6.3 (Medium), according to the NVD entry published on 2026-05-09. The affected firmware version is 1.1.2. No patch or advisory from Atlona has been publicly identified as of this writing.

Technical Analysis

The AT-OME-MS42 is an HDBaseT matrix switcher commonly deployed in conference rooms, classrooms, and digital signage installations. It provides centralized switching for multiple AV sources to multiple displays over a single Cat5e/6 cable. The device runs a lightweight embedded Linux system with a CGI-based web management interface.

CVE-2024-30167 is a classic OS command injection vulnerability. The /cgi-bin/time.cgi script accepts a serverName parameter in a POST request and passes it unsanitized to a shell command — likely a call to ntpdate or chronyd that constructs a command string using the parameter. An authenticated attacker can inject shell metacharacters (e.g., ;, |, `, $()) to append arbitrary commands. Because the CGI process runs as root, the injected commands execute with full system privileges.

The vulnerability requires authentication to the web interface. However, many AV devices in enterprise environments ship with default credentials (often admin/admin or a blank password) that administrators never change. In such configurations, the authentication requirement provides negligible protection.

IBM X-Force Exchange, which published the vulnerability details on 2026-05-09, notes that the serverName parameter is the sole injection vector. The endpoint is accessible at:

POST /cgi-bin/time.cgi

with the payload embedded in the serverName field. No cross-site request forgery (CSRF) protection is mentioned, though the requirement for authentication reduces the practical attack surface for remote unauthenticated exploitation.

Mitigations & Recommendations

Defenders should take the following steps:

• Change default credentials immediately. If the AT-OME-MS42 is still using factory-default login credentials, an attacker with network access to the management interface can trivially authenticate and exploit CVE-2024-30167. Set a strong, unique password for the admin account.
• Restrict network access to the management interface. Place the matrix switcher on a dedicated management VLAN or physically isolated network segment. Do not expose the web interface to the internet or to untrusted network zones. Use firewall rules to allow access only from authorized administrative IP addresses.
• Monitor for anomalous POST requests to /cgi-bin/time.cgi containing shell metacharacters in the serverName parameter. Web server logs or network flow data can reveal reconnaissance or exploitation attempts.
• Check for firmware updates. As of this publication, Atlona has not released a patched firmware version. Monitor the vendor's support portal for updates. If no patch becomes available, consider replacing the device with a supported alternative that receives security maintenance.
• Segment AV equipment from production networks. Matrix switchers and other AV-over-IP devices often lack security hardening. Treat them as IoT-class devices and isolate them from sensitive systems.