CVE-2024-12856 HIGH

CVE-2024-12856: Four-Faith Industrial Router adjust_sys_time OS Command Injection

Vendor Four-Faith

Product F3x24

Weakness CWE-78

Published December 27, 2024

Last update November 22, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

Key dates

02Disclosure timeline

December 27, 2024 CVE published

November 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12856

Related vulnerabilities

Identifiers

CVE CVE-2024-12856

CWE CWE-78

CVSS 7.2 / HIGH

Affected versions

Vendor Four-Faith

Product F3x24

Affected 2.0

Vendor Four-Faith

Product F3x36

Affected 2.0

CVE-2024-12856: Four-Faith Industrial Router adjust_sys_time OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE