cbcvebase.
CVE-2024-12856
published 2024-12-27

CVE-2024-12856: The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows…

PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.19%
99.6th percentile
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
four-faithf3x24
four-faithf3x24_firmware
four-faithf3x36
four-faithf3x36_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/apply.cgi
commandsubmit_type=adjust_sys_time with adj_time_year parameter containing shell metacharacters
ip83.150.218.93
path/etc/init.d/rondo
path/etc/rc3.d/S99rondo
filenamerondo.x86_64
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Four-Faith adjust_sys_time adj_time Command Injection Attempt (CVE-2024-12856)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/apply.cgi"; http.request_body; content:"submit_type|3d|adjust_sys_time"; fast_pattern; pcre:"/adj_time_(?:sec|min|hour|day|mon|year)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat; reference:cve,2024-128856; reference:cve,2024-12856; classtype:attempted-admin; sid:2063281; rev:1; metadata:affected_product Four_Faith, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_03, cve CVE_2024_12856, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect CVE-2024-12856 exploitation by monitoring for HTTP POST requests to /apply.cgi with a body containing 'submit_type=adjust_sys_time' and shell metacharacters (;, |, `, $, newline) in any adj_time_* parameter (adj_time_sec, adj_time_min, adj_time_hour, adj_time_day, adj_time_mon, adj_time_year).
  • VulnCheck has published a Suricata rule specifically to detect CVE-2024-12856 exploitation attempts; defenders should apply it at the perimeter.
  • RondoDox establishes persistence via /etc/init.d/rondo, /etc/rc3.d/S99rondo, appends to /etc/rcS, /etc/init.d/rcS, /etc/inittab, and modifies user/root crontab entries; hunt for these artifacts on compromised devices.
  • RondoDox writes the contact email [email protected] to /tmp/contact.txt; presence of this file is a host-based indicator of compromise.
  • RondoDox uses custom UPX packing with unique signatures; standard UPX unpackers may fail — look for non-standard UPX headers when triaging binaries from compromised Four-Faith routers.
  • ·Firmware version 2.0 of Four-Faith F3x24/F3x36 ships with default credentials; if unchanged, the authenticated OS command injection (CVE-2024-12856) becomes effectively unauthenticated RCE.
  • ·At least 15,000 internet-facing Four-Faith routers were identified by Censys as potentially vulnerable, broadening the attack surface significantly.
  • ·Active exploitation of CVE-2024-12856 was observed as early as November 2024 (per Chainxin X Lab) and confirmed around December 20, 2024 (per VulnCheck), meaning devices were targeted before a CVE was assigned.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.