CVE-2024-12856 — HIGH (7.2)

Vulnerability Description

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Four-Faith	F3X36 Firmware	2.0
Four-Faith	F3X36	-
Four-Faith	F3X24 Firmware	2.0
Four-Faith	F3X24	-

Related Weaknesses (CWE)

CWE-1392 CWE-78

References

https://ducklingstudio.blog.fc2.com/blog-entry-392.htmlExploitThird Party Advisory
https://vulncheck.com/advisories/four-faith-timeThird Party Advisory
https://vulncheck.com/blog/four-faith-cve-2024-12856ExploitThird Party Advisory
https://vulncheck.com/blog/four-faith-cve-2024-12856ExploitThird Party Advisory

FAQ

What is CVE-2024-12856?

CVE-2024-12856 is a vulnerability with a CVSS score of 7.2 (HIGH). The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execut...

How severe is CVE-2024-12856?

CVE-2024-12856 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-12856?

Check the references section above for vendor advisories and patch information. Affected products include: Four-Faith F3X36 Firmware, Four-Faith F3X36, Four-Faith F3X24 Firmware, Four-Faith F3X24.