CVE-2024-12856
Published: 27 December 2024
Summary
CVE-2024-12856 is a high-severity OS Command Injection (CWE-78) vulnerability in Four-Faith F3X36 Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-12856 affects Four-Faith F3x24 and F3x36 router models running firmware version 2.0. The flaw is an OS command injection vulnerability (CWE-78) that occurs when an authenticated user modifies the system time through the apply.cgi endpoint over HTTP. The same firmware ships with default credentials (CWE-1392), which can convert the issue into unauthenticated remote command execution if left unchanged. The vulnerability carries a CVSS 3.1 score of 7.2.
An attacker with valid administrative credentials on an exposed management interface can supply crafted input to the system-time parameter and execute arbitrary operating-system commands. When default credentials remain in place, the same actions become possible without authentication, granting full control over the affected device.
Public references from VulnCheck describe the issue and note the combination of command injection and unchanged defaults as the primary risk factors. No vendor-supplied patches or official mitigation steps are detailed in the available references.
The EPSS score has remained at its peak value of 0.7731 since disclosure, indicating sustained but not newly emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51157
Vulnerability details
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via…
more
apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default credentials combined with authenticated OS command injection in the public-facing web interface (apply.cgi) enable default account abuse (T1078.001), exploitation of public-facing applications (T1190), Unix shell execution (T1059.004), and ingress tool transfer via wget/curl for malware deployment (T1105).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mandates replacement of default credentials during secure configuration and provisioning procedures.
Policy requires changing or avoiding default credentials during system setup and operation.
Unique identification requirement prevents use of default or shared credentials by organizational users.
Changing default authenticators prior to first use prevents use of default credentials.
Standards-compliant authentication mechanisms typically prohibit default credentials for cryptographic modules.
Consistent implementation of the strategy drives removal or mitigation of default credentials in procured systems and services.
Security functional requirements and acceptance criteria can stipulate that acquired systems must not use default credentials.
Documentation of known configuration vulnerabilities and secure setup practices reduces reliance on default credentials.