CVE-2024-12856
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Four-Faith | F3x24 | 2.0 | affected |
| Four-Faith | F3x36 | 2.0 | affected |
Weaknesses
- CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-1392: CWE-1392 Use of Default Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://vulncheck.com/blog/four-faith-cve-2024-12856
- https://vulncheck.com/advisories/four-faith-time
- https://ducklingstudio.blog.fc2.com/blog-entry-392.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.