CVE-2024-12856
published 2024-12-27CVE-2024-12856: The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows…
PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.19%
99.6th percentile
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| four-faith | f3x24 | — | — |
| four-faith | f3x24_firmware | — | — |
| four-faith | f3x36 | — | — |
| four-faith | f3x36_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsubmit_type=adjust_sys_time with adj_time_year parameter containing shell metacharacters
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/apply.cgi"; http.request_body; content:"submit_type|3d|adjust_sys_time"; fast_pattern; pcre:"/adj_time_(?:sec|min|hour|day|mon|year)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat; reference:cve,2024-128856; reference:cve,2024-12856; classtype:attempted-admin; sid:2063281; rev:1; metadata:affected_product Four_Faith, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_03, cve CVE_2024_12856, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect CVE-2024-12856 exploitation by monitoring for HTTP POST requests to /apply.cgi with a body containing 'submit_type=adjust_sys_time' and shell metacharacters (;, |, `, $, newline) in any adj_time_* parameter (adj_time_sec, adj_time_min, adj_time_hour, adj_time_day, adj_time_mon, adj_time_year).
- →VulnCheck has published a Suricata rule specifically to detect CVE-2024-12856 exploitation attempts; defenders should apply it at the perimeter. ↗
- →RondoDox establishes persistence via /etc/init.d/rondo, /etc/rc3.d/S99rondo, appends to /etc/rcS, /etc/init.d/rcS, /etc/inittab, and modifies user/root crontab entries; hunt for these artifacts on compromised devices. ↗
- →RondoDox writes the contact email [email protected] to /tmp/contact.txt; presence of this file is a host-based indicator of compromise. ↗
- →RondoDox uses custom UPX packing with unique signatures; standard UPX unpackers may fail — look for non-standard UPX headers when triaging binaries from compromised Four-Faith routers. ↗
- ·Firmware version 2.0 of Four-Faith F3x24/F3x36 ships with default credentials; if unchanged, the authenticated OS command injection (CVE-2024-12856) becomes effectively unauthenticated RCE. ↗
- ·At least 15,000 internet-facing Four-Faith routers were identified by Censys as potentially vulnerable, broadening the attack surface significantly. ↗
- ·Active exploitation of CVE-2024-12856 was observed as early as November 2024 (per Chainxin X Lab) and confirmed around December 20, 2024 (per VulnCheck), meaning devices were targeted before a CVE was assigned. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5qv9-wh8x-pfpm: The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability
ghsa_unreviewed·2024-12-27
CVE-2024-12856 [HIGH] CWE-78 GHSA-5qv9-wh8x-pfpm: The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.
VulnCheck
Four-Faith adjust_sys_time OS Command Injection
vulncheck·2024·CVSS 7.2
CVE-2024-12856 [HIGH] Four-Faith adjust_sys_time OS Command Injection
Four-Faith adjust_sys_time OS Command Injection
Four-Faith industrial routers are vulnerable to an operating system command injection vulnerability.
Affected: Four-Faith F3x24 and F3x36
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://ducklingstudio.blog.fc2.com/blog-entry-392.html; https://vulncheck.com/blog/four-faith-cve-2024-12856; https://www.cve.org/CVERecord?id=CVE-2024-12856; https://blog.xlab.qianxin.com/gayfemboy-en/; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-08&host_type=src&vulnerability=cve-2024-12856;
Suricata
ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856)
suricata·2025-07-03·CVSS 7.2
CVE-2024-128856 [HIGH] ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856)
ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/apply.cgi"; http.request_body; content:"submit_type|3d|adjust_sys_time"; fast_pattern; pcre:"/adj_time_(?:sec|min|hour|day|mon|year)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat; reference:cve,2024-128856; reference:cve,2024-12856; classtype:attempted-admin; sid:2063281; rev:1; metadata:affected_product Four_Fai
No public exploits indexed.
Checkpoint
13th October – Threat Intelligence Report
blogs_checkpoint·2025-10-13
CVE-2023-1389 13th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Qilin ransomware group has claimed responsibility for targeting Asahi, Japan’s largest brewing company, that had been hacked on September 29 th . The attack resulted in the exfiltration of over 9,300 files totaling 27GB of sensitive data, including financial documents, employee IDs, contracts, and internal reports. The at
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Fortinet
RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs
blogs_fortinet·2025-07-03·CVSS 7.2
[HIGH] RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
RondoDox Unveiled: Breaking Down a New Botnet Threat
A new botnet built for evasion and disruption
Vulnerability Details
Downloader Analysis
RondoDox Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | July 03, 2025
Affected Platforms: TBK DVR-4104. TBK DVR-4216. Four-Faith router models F3x24. Four-Faith router models F3x36.
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device se
Bleepingcomputer
New Mirai botnet targets industrial routers with zero-day exploits
blogs_bleepingcomputer·2025-01-07·CVSS 8.8
CVE-2024-12856 [HIGH] New Mirai botnet targets industrial routers with zero-day exploits
## New Mirai botnet targets industrial routers with zero-day exploits
## Bill Toulas
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices.
Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet's development and attacks.
One of the security issues is CVE-2024-12856, a vulnerability in Four-Faith industrial routers that VulnCheck discovered in late December but noticed efforts to exploit it around December 20.
to leverage zero-day exploits has been leveraging a zero-day exploit for CVE-2024-12856, impacting Four-Faith routers, alongside other custom exploits for flaws in Neterbit
Bleepingcomputer
Hackers exploit Four-Faith router flaw to open reverse shells
blogs_bleepingcomputer·2024-12-30·CVSS 7.2
CVE-2024-12856 [HIGH] Hackers exploit Four-Faith router flaw to open reverse shells
## Hackers exploit Four-Faith router flaw to open reverse shells
## Bill Toulas
## Flaw details and scope
CVE-2024-12856 is an OS command injection flaw impacting Four-Faith router models F3x24 and F3x36, typically deployed in energy and utilities, transportation, telecommunications, and manufacturing sectors.
VulnCheck says hackers can gain access to those devices because many are configured with default credentials, which are easy to brute force.
The attack begins with the transmission of a specially crafted HTTP POST request to the router's '/apply.cgi' endpoint targeting the 'adj_time_year' parameter.
This is a parameter used for adjusting the system time, but it can be manipulated to include a shell command.
VulnCheck warns that the current attacks are similar to those targetin
Checkpoint
30th December – Threat Intelligence Report
blogs_checkpoint·2024-12-30·CVSS 9.8
CVE-2024-50623 [CRITICAL] 30th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 30th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 30th December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours to initiate ransom negotiations before publicly disclosing their identities. This incident mirrors
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-12-27
Published
Exploited in the wild