OS Command Injection in Four-Faith F3x24/F3x36 apply.cgi
CVE-2024-12856 is an operating system command injection vulnerability affecting at least Four-Faith industrial router models F3x24 and F3x36, including at least firmware version 2.0. The flaw is exposed over HTTP via the /apply.cgi endpoint when the system time is modified using submit_type=adjust_sys_time. According to the provided content, the injection point is the adj_time_year parameter, which is insufficiently sanitized and can be abused to append and execute arbitrary shell commands on the underlying operating system. The issue is described as post-authentication, but the same firmware is also reported to ship with default credentials; if those credentials remain unchanged, attackers can effectively exploit the flaw remotely without meaningful authentication. Public reporting and in-the-wild exploitation include use of crafted POST requests with HTTP Basic authentication to trigger command execution and launch reverse shells. The vulnerability is distinct from CVE-2019-12168, which also affects /apply.cgi but uses a different submit_type and parameter.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains an exploit for CVE-2024-12856, targeting Four-Faith router models F3x24 and F3x36 (firmware 2.0+). The exploit leverages an OS command injection vulnerability in the router's HTTP interface (apply.cgi) to execute arbitrary commands as an authenticated user. The main script, 'exploit.py', is a Python program that sends a crafted POST request to the router, injecting a payload that establishes a reverse shell to the attacker's machine using netcat. The attacker must provide the router's address, their own listener IP/port, and (optionally) credentials (default admin:admin). The exploit is operational and provides a working reverse shell if the target is vulnerable and accessible. The repository is structured simply, with a README, the exploit script, and a .gitattributes file. No detection or fake code is present.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Four-Faith router vulnerability referenced as used by RondoDox botnet (details truncated in excerpt).
An OS command injection vulnerability in select Four-Faith industrial routers that is reported as actively exploited in the wild.
A vulnerability in Four-Faith routers exploited by the Murdoc botnet (Mirai variant) for IoT botnet propagation and DDoS attacks.
A vulnerability in Four-Faith routers exploited by the Murdoc Mirai variant for botnet propagation.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.