Experts at VulnCheck have reported the active exploitation of a critical vulnerability in Four-Faith brand routers. The flaw, identified as CVE-2024-12856 with a CVSS score of 7.2, is a command injection vulnerability in the operating system, affecting the F3x24 and F3x36 models.
The severity of the issue is heightened when users fail to change the default credentials for accessing the web interface of the device. This oversight allows unauthenticated attackers to execute arbitrary commands, granting them remote access through a reverse shell upon successful exploitation.
Attack attempts have been traced to the IP address 178.215.238[.]91, previously associated with the exploitation of CVE-2019-12168. GreyNoise experts have confirmed that these attacks continued until mid-December 2024.
According to VulnCheck, the vulnerability stems from the adj_time_year parameter, which is used to adjust the system time of the device via HTTP requests to /apply.cgi. Exploitation is achieved by transmitting data through the submit_type=adjust_sys_time parameter.
Censys analysts have identified over 15,000 vulnerable Four-Faith devices accessible on the internet, significantly amplifying the threat’s scale. It is believed that the attacks began as early as November 2024. VulnCheck reported the issue to the developer on December 20, 2024, but as of now, no information on a patch release has been provided.
