According to new VulnCheck findings, a high-severity flaw affecting select Four-Faith routers is being exploited in the wild.
Vulnerability, tracked as CVE-2024-12856 (CVSS Score: 7.2), has been described as an operating system (OS) command implementation bug affecting router models F3x24 and F3x36.
The vulnerability is less severe because it only works if a remote attacker can successfully authenticate. However, if the default credentials associated with the routers have not been changed, this may result in unauthenticated OS commands.
In the attack detailed by VulnCheck, unknown threat actors were found to use default router credentials to trigger the exploit of CVE-2024-12856 and launch a reverse shell for persistent remote access.
An exploitation attempt occurred from the IP address 178.215.238(.)91which was previously used in connection with attacks with the purpose of using a weapon CVE-2019-12168another remote code execution flaw that affects Four-Faith routers. According to threat intelligence company GreyNoise, attempts to exploit CVE-2019-12168 were recorded as recently as December 19, 2024.
“At least Four-Faith F3x24 and F3x36 can be attacked via HTTP using the /apply.cgi endpoint,” Jacob Bains. said in the report. “Systems are vulnerable to injecting OS commands into the adj_time_year parameter when changing the device’s system time via submit_type=adjust_sys_time.”
Censys data shows that there are more than 15,000 devices with Internet access. There is some evidence offering that attacks exploiting the flaw could have continued since at least early November 2024.
There is currently no word on the availability of patches, although VulnCheck said it responsibly reported the flaw to a Chinese company on December 20, 2024. Hacker News reached out to Four-Faith for comment before publishing this story and will update the piece when we hear back.
