Cyber Resilience

CVE-2024-12856

HighPublic PoCRCE

Published: 27 December 2024

Published
27 December 2024
Modified
25 September 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7731 99.0th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12856 is a high-severity OS Command Injection (CWE-78) vulnerability in Four-Faith F3X36 Firmware. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-12856 affects Four-Faith F3x24 and F3x36 router models running firmware version 2.0. The flaw is an OS command injection vulnerability (CWE-78) that occurs when an authenticated user modifies the system time through the apply.cgi endpoint over HTTP. The same firmware ships with default credentials (CWE-1392), which can convert the issue into unauthenticated remote command execution if left unchanged. The vulnerability carries a CVSS 3.1 score of 7.2.

An attacker with valid administrative credentials on an exposed management interface can supply crafted input to the system-time parameter and execute arbitrary operating-system commands. When default credentials remain in place, the same actions become possible without authentication, granting full control over the affected device.

Public references from VulnCheck describe the issue and note the combination of command injection and unchanged defaults as the primary risk factors. No vendor-supplied patches or official mitigation steps are detailed in the available references.

The EPSS score has remained at its peak value of 0.7731 since disclosure, indicating sustained but not newly emerging exploitation interest.

EU & UK References

Vulnerability details

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via…

more

apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Default credentials combined with authenticated OS command injection in the public-facing web interface (apply.cgi) enable default account abuse (T1078.001), exploitation of public-facing applications (T1190), Unix shell execution (T1059.004), and ingress tool transfer via wget/curl for malware deployment (T1105).

Affected Assets

four-faith
f3x36 firmware
2.0
four-faith
f3x24 firmware
2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1392

Mandates replacement of default credentials during secure configuration and provisioning procedures.

addresses: CWE-1392

Policy requires changing or avoiding default credentials during system setup and operation.

addresses: CWE-1392

Unique identification requirement prevents use of default or shared credentials by organizational users.

addresses: CWE-1392

Changing default authenticators prior to first use prevents use of default credentials.

addresses: CWE-1392

Standards-compliant authentication mechanisms typically prohibit default credentials for cryptographic modules.

addresses: CWE-1392

Consistent implementation of the strategy drives removal or mitigation of default credentials in procured systems and services.

addresses: CWE-1392

Security functional requirements and acceptance criteria can stipulate that acquired systems must not use default credentials.

addresses: CWE-1392

Documentation of known configuration vulnerabilities and secure setup practices reduces reliance on default credentials.

References