The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device's system time via submit_type=adjust_sys_time.
Data from Censys shows that there are over 15,000 internet-facing devices. There is some evidence suggesting that attacks exploiting the flaw may have been ongoing since at least early November 2024.
Collection
[
|
...
]