CVE-2024-12856

Four-Faith Industrial Router adjust_sys_time OS Command Injection

CVSS 7.2 HIGHEPSS 82.2%CWE-1392 CWE-78

In short

A Four-Faith industrial router (models F3x24 and F3x36) allows attackers to run harmful commands on the device by manipulating the system time settings. If the default password is not changed, anyone on the internet can exploit this without needing legitimate access.

Technical detail

An OS command injection vulnerability exists in the apply.cgi endpoint when processing system time adjustments. Authenticated remote attackers can inject arbitrary OS commands; the presence of unchanged default credentials eliminates the authentication barrier, enabling unauthenticated remote code execution with network-level access.

Summary generated and translated by AI from the official description.

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

Four-Faith · F3x24 Four-Faith · F3x36

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://ducklingstudio.blog.fc2.com/blog-entry-392.html https://vulncheck.com/advisories/four-faith-time https://vulncheck.com/blog/four-faith-cve-2024-12856