Four-Faith routers: OS command injection (CVE-2024-12856) #shorts

CVE

This CVE involves a critical OS command injection flaw in the Four-Faith router models F3x24 and F3x36, specifically affecting firmware version 2.0. This vulnerability, if exploited by authenticated remote attackers, allows for the execution of arbitrary commands on the host operating system. The flaw is accessed through HTTP when altering system time settings using apply.cgi. The presence of unchanged default credentials in this firmware version may escalate the threat, enabling unauthenticated remote command execution. As this is a recent discovery and labeled as a zero-day vulnerability, immediate attention is required from users of the affected router models.

Watch the full video on YouTube: CVE-2024-12856

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-12856
Description
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.
Provider
VulnCheck
CWE / problem types
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected Software Versions
Four-Faith:F3x24:[{'status': 'affected', 'version': '2.0'}],Four-Faith:F3x36:[{'status': 'affected', 'version': '2.0'}]
Date Published
2024-12-27T16:03:04.567Z
Last Updated
2025-01-28T15:24:42.019Z