Security researchers have discovered a high-severity vulnerability in certain Four-Faith industrial routers. The flaw, tracked as CVE-2024-12856, allows attackers to inject commands into the router’s operating system. This can lead to the opening of reverse shells, granting hackers remote access to the devices.
The vulnerability affects Four-Faith router models F3x24 and F3x36. These routers are commonly used in various sectors, including energy, utilities, transportation, telecommunications, and manufacturing. The flaw is particularly concerning because many of these routers are still configured with default credentials, making them easy targets for attackers.
To exploit the vulnerability, hackers send a specially crafted HTTP POST request to the router’s ‘/apply.cgi’ endpoint. They target the ‘adj_time_year’ parameter, which is used for adjusting the system time. By manipulating this parameter, attackers can include a shell command and gain control of the device.
According to data from Censys, there are currently around 15,000 internet-facing Four-Faith routers that could be at risk.
Command injection risk in Four-Faith routers
VulnCheck, the cybersecurity firm that discovered the active exploitation of the flaw, has warned that the attacks are similar to those targeting another vulnerability through the same endpoint.
Once a router is compromised, attackers can modify configuration files for persistence, explore the network for other devices to pivot to, and escalate the attack further. VulnCheck has provided a sample payload demonstrating how the flaw can be used to create a reverse shell to an attacker’s computer. To mitigate the risk, users of affected Four-Faith routers should ensure they are running the latest firmware version and change default credentials to strong, unique passwords.
VulnCheck has also shared a Suricata rule to help detect and block exploitation attempts. Four-Faith, the Chinese manufacturer of the vulnerable routers, was notified about the issue on December 20, 2024. However, it remains unclear if security updates addressing the flaw are currently available.
Users are advised to contact their Four-Faith sales representative or customer support for guidance on mitigating CVE-2024-12856. The discovery of this vulnerability and its active exploitation highlight the importance of securing industrial routers and other IoT devices. As these devices become increasingly prevalent in critical infrastructure and various industries, it is crucial to keep them updated, change default credentials, and monitor for potential threats.
