A high-severity vulnerability in Four-Faith routers has placed over 15,000 devices at risk, with active exploitation already observed. The flaw, identified as CVE-2024-12856, has been disclosed by VulnCheck and underscores the urgent need for router owners to take immediate protective actions.
Understanding CVE-2024-12856: An OS Command Injection Bug
CVE-2024-12856 is a critical operating system (OS) command injection vulnerability impacting two widely used router models: Four-Faith F3x24 and F3x36. It carries a CVSS score of 7.2, indicating a high risk. However, its exploitability depends on the attacker’s ability to authenticate with the device. This condition could easily be bypassed if users have neglected to change the default credentials, thereby enabling unauthenticated OS command execution.
VulnCheck’s analysis revealed that threat actors are actively exploiting this flaw by leveraging default credentials. Once access is gained, attackers execute CVE-2024-12856 to launch a reverse shell, granting them persistent remote control over the device. This type of exploitation poses significant risks, including unauthorized network access, data exfiltration, and further lateral attacks.
Details of the Attack
The attack is initiated through the /apply.cgi endpoint, specifically targeting the adj_time_year parameter used to modify system time settings. As noted by VulnCheck researcher Jacob Baines, “The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device’s system time via submit_type=adjust_sys_time.”
Threat actors have been found to originate exploitation attempts from the IP address 178.215.238[.]91. This IP address has a known history of malicious activity, including attacks exploiting CVE-2019-12168, another critical remote code execution flaw in Four-Faith routers. GreyNoise, a threat intelligence firm, confirmed ongoing attempts to exploit CVE-2019-12168 as recently as December 19, 2024, highlighting the sustained interest of attackers in compromising Four-Faith devices.
Scope of the Threat
According to data from Censys, over 15,000 Four-Faith routers are currently exposed to the internet, making them potential targets. Evidence suggests that exploitation of CVE-2024-12856 may have begun as early as November 2024. The sheer number of exposed devices amplifies the severity of the threat, particularly if default credentials remain unchanged.
Mitigation and Recommendations
While Four-Faith has not yet released a patch for this vulnerability, organizations and individuals using affected devices should adopt the following measures immediately:
Change Default Credentials: Replace default usernames and passwords with strong, unique combinations to block unauthorized access.
Restrict Remote Access: Limit router access to trusted IP addresses and disable remote management features if not essential.
Monitor for Suspicious Activity: Regularly review logs for unusual login attempts or unexpected configurations.
Isolate the Affected Routers: If feasible, segment vulnerable devices into a separate network to minimize the potential for lateral movement.
Update Firmware: Stay in touch with Four-Faith’s announcements and apply firmware updates as soon as they become available.
Use Threat Intelligence Tools: Employ tools like GreyNoise to identify active exploitation attempts and take preemptive action.
Vendor’s Response
VulnCheck responsibly disclosed CVE-2024-12856 on December 20, 2024. As of now, the company has not issued a patch or an official statement addressing the vulnerability.
Implications
The exploitation of CVE-2024-12856 is a stark reminder of the risks posed by default credentials and unpatched vulnerabilities. It also highlights the need for robust device management practices in organizations and homes. With attackers demonstrating a sustained interest in Four-Faith routers, proactive measures are essential to safeguard networks from compromise.
Summary
The discovery of CVE-2024-12856 underscores a critical lesson: default credentials should never be overlooked. Over 15,000 Four-Faith routers are exposed to this vulnerability, potentially serving as entry points for cybercriminals. Until a patch is available, users must act swiftly to secure their devices by following the recommended mitigations. Failure to do so could result in significant security breaches, financial losses, and reputational damage.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2024-45387 Apache Traffic Control SQL Injection Fix Released