CVE-2024-12856

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Dec 27, 2024

CWE ID 78

Summary

CVE-2024-12856 is a newly identified operating system command injection vulnerability affecting the Four-Faith router models F3x24 and F3x36. This issue, present in firmware version 2.0 and above, allows authenticated and remote attackers to execute arbitrary OS commands over HTTP while modifying the system time via apply.cgi. Furthermore, these routers come with default credentials, which, if left unchanged, can make this vulnerability unauthenticated and remote, posing a significant risk to network security.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

F3X24

Affected Vendors

Xiamen Four-Faith Communication Technology Co.Ltd

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/1x429G
https://www.cve.org/CVERecord?id=CVE-2024-12856
https://nvd.nist.gov/vuln/detail/CVE-2024-12856

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Threats to the 2025 NATO Summit

Artificial Eyes: Generative AI in China’s Military Intelligence

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Know What Matters

For Customers

For Partners