CVE-2024-12856

HIGH EXPLOITED

Four-Faith F3x24 and F3x36 Firmware 2.0 - Authenticated OS Command Injection via apply.cgi

Title source: llm

Exploitation Summary

CVE-2024-12856 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including nu113d.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-12856, targeting Four-Faith routers (F3x24 and F3x36) with an OS command injection vulnerability in the apply.cgi endpoint. The exploit leverages default credentials (admin:admin) to execute a reverse shell payload via the adj_time_year parameter.

Description

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

Exploits (1)

nomisec WORKING POC

by nu113d · remote-auth

https://github.com/nu113d/CVE-2024-12856

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-12856, targeting Four-Faith routers (F3x24 and F3x36) with an OS command injection vulnerability in the apply.cgi endpoint. The exploit leverages default credentials (admin:admin) to execute a reverse shell payload via the adj_time_year parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Four-Faith router models F3x24 and F3x36 (firmware version 2.0)

Auth required

Prerequisites: Network access to the target router · Default or known credentials (admin:admin) · Listener set up for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit technical-description

https://vulncheck.com/blog/four-faith-cve-2024-12856

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/four-faith-time

Exploit, Third Party Advisory exploit

https://ducklingstudio.blog.fc2.com/blog-entry-392.html

Scores

CVSS v3 7.2

EPSS 0.8219

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-11-09

CWE

CWE-78 CWE-1392

Status published

Products (2)

four-faith/f3x24_firmware 2.0

four-faith/f3x36_firmware 2.0

Published Dec 27, 2024

Tracked Since Feb 18, 2026