CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-12856

High Severity
SVRS
68/100
CVSSv3
7.2/10
EPSS
0.76838/1

CVE-2024-12856: OS Command Injection in Four-Faith Routers. This vulnerability allows remote attackers to execute arbitrary operating system commands via HTTP on Four-Faith F3x24 and F3x36 routers when modifying the system time.

The vulnerability impacts firmware version 2.0 and requires authentication, but the presence of default credentials turns it into an unauthenticated threat if those defaults are not changed. An exploit is readily available, and it is actively being exploited in the wild. This means attackers are actively trying to leverage this vulnerability. The SVRS score is 68, indicating a serious risk, while not critical, requires attention.

Successful exploitation could lead to complete control of the affected router, potentially allowing attackers to pivot to other network resources. This vulnerability poses a significant risk to organizations using these router models, especially if they have not changed the default credentials. Immediate action is required to mitigate the risks, including changing default credentials and applying available security patches.

TAGS
In The Wild
Exploit Avaliable
Technical-description
Exploit
Third-party-advisory
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:H
UI:N
S:U
C:H
I:H
A:H
PUBLICATION DATE2024-12-27
LAST MODIFIED2025-01-28
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-12856 affects Four-Faith router models F3x24 and F3x36, specifically firmware version 2.0. This vulnerability allows authenticated and remote attackers to execute arbitrary OS commands through the apply.cgi interface when modifying the system time. Furthermore, the default credentials present in this firmware version, if not changed, effectively transform the vulnerability into an unauthenticated and remote OS command execution issue. The SVRS for this vulnerability is 46, indicating a moderate risk level.

Key Insights

  • Remote Code Execution: This vulnerability allows attackers to execute arbitrary code on the affected routers, potentially granting them full control over the device.
  • Default Credentials: The presence of default credentials significantly increases the risk as attackers can exploit the vulnerability without any prior authentication.
  • In The Wild: This vulnerability is actively exploited by hackers, highlighting the urgency of addressing it.
  • Limited Scope: While the vulnerability affects specific models and firmware versions, it is essential to understand the potential impact of successful exploitation, including data breaches, denial-of-service attacks, and network disruption.

Mitigation Strategies

  • Firmware Updates: Immediately update affected routers to the latest firmware version which addresses the vulnerability.
  • Credential Change: Change the default credentials on all affected routers to strong and unique passwords.
  • Network Segmentation: Implement network segmentation to isolate affected routers from critical systems and sensitive data.
  • Monitoring and Detection: Continuously monitor network traffic and system logs for any suspicious activity that might indicate exploitation of this vulnerability.

Additional Information

For further information or clarification regarding this specific incident or other cybersecurity concerns, utilize the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for assistance.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
nu113d/CVE-2024-12856https://github.com/nu113d/CVE-2024-128562025-01-11
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

30th December – Threat Intelligence Report
hagarb2025-02-01
30th December – Threat Intelligence Report | For the latest discoveries in cyber research for the week of 30th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo&#8217;s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours [&#8230;] The post 30th December – Threat Intelligence Report appeared first on <a href="https://research.checkpoint.com
checkpoint.com
rss
forum
news
New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers
Pierluigi Paganini2025-01-21
New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers | Researchers warn of a campaign exploiting AVTECH IP cameras and Huawei HG532 routers to create a Mirai botnet variant called Murdoc Botnet. Murdoc Botnet is a new Mirai botnet variant that targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, the Qualys Threat Research Unit reported. The botnet has been active since at least [&#8230;] Researchers warn of a campaign
securityaffairs.co
rss
forum
news
Gayfemboy Botnet targets Four-Faith router vulnerability
Pierluigi Paganini2025-01-08
Gayfemboy Botnet targets Four-Faith router vulnerability | Gayfemboy, a Mirai botnet variant, has been exploiting a flaw in Four-Faith industrial routers to launch DDoS attacks since November 2024. The Gayfemboy botnet was first identified in February 2024, it borrows the code from the basic Mirai variant and now integrates N-day and 0-day exploits. By November 2024, Gayfemboy exploited 0-day vulnerabilities in Four-Faith [&#8230;] Gayfemboy, a Mirai botnet variant, has been
securityaffairs.co
rss
forum
news
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
Ajit Jasrotia2025-01-08
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks | A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks. The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States. Exploiting an [&#8230;] The post Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
allhackernews.com
rss
forum
news
Security Affairs newsletter Round 505 by Pierluigi Paganini – INTERNATIONAL EDITION - Security Affairs
2025-01-05
Security Affairs newsletter Round 505 by Pierluigi Paganini – INTERNATIONAL EDITION - Security Affairs | News Content: A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Malicious npm packages target Ethereum developersUS Treasury Department sanctioned Chinese cybersecurity firm linked to Flax Typhoon APTFireScam Android info-stealing malware supports spyware capabilitiesRichmond University Medical Center data breach impacted 674,033 individualsApple will pay $95 Million to settle lawsuit over Siri’s alleged eavesdroppingLDAPNightmare, a PoC exploit targets
google.com
rss
forum
news
Privacy Roundup: Week 1 of Year 2025
Avoid The Hack!2025-01-04
Privacy Roundup: Week 1 of Year 2025 | This is a news item roundup of privacy or privacy-related news items for 29 DEC 2024 - 4 JAN 2024. Information and summaries provided here are as-is for warranty purposes. Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things
securityboulevard.com
rss
forum
news
CTO at NCSC Summary: week ending January 5th - substack.com
2025-01-03
CTO at NCSC Summary: week ending January 5th - substack.com | News Content: Happy New Year edition 🎆 Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do. Operationally this week the CyberHaven Chrome extension breach has some initial analysis published. Steven Lim released a KQL query to help identify if any of the extensions were in use within organisations. In the high-level this week: Department of Treasury letter on their alleged breach by China via BeyondTrust - NextGov publishes - “On December 8, 2024, Treasury was notified by
google.com
rss
forum
news

Social Media

A new variant of the Mirai botnet has been targeting Four-Faith industrial routers, exploiting a critical security flaw (CVE-2024-12856) to launch DDoS attacks. Read more about it here: https://t.co/tipv5LBAIo.
0
0
0
Four-Faith Industrial Router CVE-2024-12856 Exploited in the Wild https://t.co/zGAaxneVdd #cyber #threathunting #infosec
0
0
0
🟡New Mirai Botnet Exploiting Zero-Days ⚠️ A Mirai-based botnet is targeting industrial routers &amp; smart devices via zero-day exploits (e.g., CVE-2024-12856). High-intensity DDoS attacks disrupt networks globally. 🔧 Action: Patch devices, disable remote access, &amp; change default
0
0
0
2/9 Exploiting CVE-2024-12856, this #Mirai variant targets industrial routers. Ensure your devices are updated! #IoTSecurity 🔓
0
0
0
New Mirai botnet targets industrial routers with zero-day exploits: https://t.co/Nwa0uwYipi A new Mirai-based botnet is exploiting zero-day vulnerabilities in industrial routers and smart home devices, notably CVE-2024-12856 affecting Four-Faith routers. Discovered in February
0
0
0
“Gayfemboy” Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers - CVE-2024-12856 Discover the powerful Gayfemboy botnet and its persistence in leveraging a 0-day vulnerability in industrial routers for DDoS attacks https://t.co/1C3YQ2EQZV
0
0
0
Hackers exploit Four-Faith router flaw (CVE-2024-12856) to open reverse shells via @BleepinComputer #Proficio #ThreatNews #Cybersecurity #MSSP #MDR https://t.co/IpNeAN1Sav
0
0
0
🚨 Critical Alert: Four-Faith Router Flaw (CVE-2024-12856) 🚨 Hackers exploit a remote command injection vulnerability in Four-Faith routers (models F3x24, F3x36), opening reverse shells for full access. Currently, 15,000 internet-facing devices are at risk, many using default
0
0
0
The vulnerability is tracked as CVE-2024-12856, and when exploited, allows an attacker to inject commands
1
0
0
⚠️ 15,000+ Four-Faith routers are exposed, with attackers actively exploiting a command injection flaw (CVE-2024-12856). 1️⃣ Attackers execute commands remotely via the adj_time_year parameter. 2️⃣ Reverse shells enable hackers to stay hidden and in control. https://t.co/oOUODkn1eZ
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://ducklingstudio.blog.fc2.com/blog-entry-392.html
[email protected]https://vulncheck.com/advisories/four-faith-time
[email protected]https://vulncheck.com/blog/four-faith-cve-2024-12856
134C704F-9B21-4F2E-91B3-4A467353BCC0https://vulncheck.com/blog/four-faith-cve-2024-12856
[email protected]https://ducklingstudio.blog.fc2.com/blog-entry-392.html
[email protected]https://vulncheck.com/advisories/four-faith-time
[email protected]https://vulncheck.com/blog/four-faith-cve-2024-12856

CWE Details

CWE IDCWE NameDescription
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence