Back to KEVs

CVE-2024-12856

Four-Faith Industrial Router adjust_sys_time OS Command Injection

Basic Information

CVE State
PUBLISHED
Reserved Date
December 20, 2024
Published Date
December 27, 2024
Last Updated
November 22, 2025
Vendor
Four-Faith
Product
F3x24, F3x36
Description
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
poc
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-11-03 00:00:00 UTC) Source

References

https://vulncheck.com/blog/four-faith-cve-2024-12856 https://vulncheck.com/advisories/four-faith-time https://ducklingstudio.blog.fc2.com/blog-entry-392.html

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-11-03 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel