A critical vulnerability has been discovered in Four-Faith routers, affecting models F3x24 and F3x36, with over 15,000 internet-facing devices exposed. The flaw, tracked as CVE-2024-12856, is an operating system (OS) command injection bug that allows remote attackers to execute arbitrary commands on affected devices. While the vulnerability requires authentication to be exploited, it can be triggered without authentication if the routers’ default credentials remain unchanged. This makes the flaw particularly dangerous for organizations that have not taken the necessary steps to secure their devices.
The exploitation of this vulnerability can lead to the attacker gaining persistent remote access to the router through a reverse shell. The attackers, who have been identified by VulnCheck, have been leveraging the default credentials to exploit the flaw and establish a foothold in vulnerable systems. The attack occurs through the router’s /apply.cgi endpoint, specifically targeting the adj_time_year parameter when modifying system time settings. This issue can have significant consequences for both the security of the routers and the integrity of the network infrastructure.
Further research from threat intelligence firms such as GreyNoise has connected the exploit to the same IP address (178.215.238[.]91) previously associated with attempts to weaponize CVE-2019-12168, another remote code execution flaw impacting Four-Faith routers. This indicates that the current wave of attacks may be part of an ongoing campaign targeting Four-Faith routers. Vulnerability data from Censys shows that many devices are still exposed to these threats, highlighting the urgent need for patching and better security practices within affected networks.
At this time, no patches are available for CVE-2024-12856, though the flaw was responsibly reported to Four-Faith by VulnCheck on December 20, 2024. With the vulnerability having been actively exploited for potentially over a month, organizations using these router models are strongly urged to change default credentials and monitor their devices for any signs of unauthorized access. As the situation develops, it remains crucial for Four-Faith to release a patch and for the broader cybersecurity community to continue monitoring for further attacks exploiting this flaw.
Reference:
