A severe security vulnerability (CVE-2024-12856) affecting Four-Faith routers is currently being exploited by cybercriminals. The flaw, discovered by VulnCheck, allows attackers to execute remote commands on affected devices after authentication.
Key Details:
– Affected Models: F3x24 and F3x36 router series
– Impacted Sectors: Energy, utilities, transportation, telecommunications, and manufacturing
– Vulnerable Devices: Approximately 15,000 internet-facing Four-Faith routers
Technical Analysis:
The vulnerability involves a command injection flaw through the ‘/apply.cgi’ endpoint, specifically targeting the ‘adj_time_year’ parameter. Attackers can exploit this weakness to establish reverse shells, gaining complete remote access to compromised devices. The attack vector is similar to the previously known CVE-2019-12168 vulnerability.
Risk Factors:
– Many devices still use default credentials
– Successful exploitation enables network pivoting
– Attackers can maintain persistence through configuration file modifications
Mitigation Steps:
1. Update router firmware to the latest version
2. Change default credentials immediately
3. Implement provided Suricata detection rules
4. Contact Four-Faith support for specific guidance
While Four-Faith was notified on December 20, 2024, the availability of security patches remains unclear. Organizations using these devices should take immediate action to secure their infrastructure.