7.2
CVE-2024-12856
- EPSS 82.19%
- Veröffentlicht 27.12.2024 16:15:23
- Zuletzt bearbeitet 25.09.2025 19:15:41
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
Four-Faith Industrial Router adjust_sys_time OS Command Injection
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Four-faith ≫ F3x36 Firmware Version2.0
Four-faith ≫ F3x24 Firmware Version2.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 82.19% | 0.996 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-1392 Use of Default Credentials
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://ducklingstudio.blog.fc2.com/blog-entry-392.html
https://vulncheck.com/advisories/four-faith-time
https://vulncheck.com/blog/four-faith-cve-2024-12856