Summary:
Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36. These devices are commonly deployed in critical sectors such as energy, utilities, transportation, telecommunications, and manufacturing, making the potential impact of exploitation significant. This post-authentication flaw allows attackers to gain full remote control of affected routers by opening reverse shells, enabling them to execute commands, modify device configurations, and escalate attacks across networks.

The vulnerability resides in the /apply.cgi endpoint's adj_time_year parameter, which is intended for adjusting system time but can be manipulated with specially crafted HTTP POST requests to inject malicious shell commands. This attack mirrors techniques used in exploiting a similar flaw, CVE-2019-12168, which targeted the "ping_ip" parameter through the same endpoint. Devices with default credentials are especially vulnerable, as they are easily brute-forced, granting attackers initial access to exploit the vulnerability.

Security Officer Comments:
Once compromised, attackers can persist by modifying configuration files, explore connected networks for lateral movement opportunities, and further escalate their activities. VulnCheck, the security firm that discovered this ongoing exploitation, reported the issue to Four-Faith on December 20, 2024. Despite the alert, it remains unclear whether security patches have been made available to mitigate the vulnerability. Censys reports that over 15,000 internet-facing Four-Faith routers are currently exposed, making them viable targets for exploitation.

Suggested Corrections:
To defend against this threat, users are strongly advised to update their router firmware to the latest version, replace default credentials with strong, unique passwords, and deploy the Suricata detection rule provided by VulnCheck to identify and block exploitation attempts. Additionally, users should contact Four-Faith's customer support or their sales representative for specific mitigation guidance and to confirm if their devices are patched.

Link(s):
https://www.bleepingcomputer.com/ne...our-faith-router-flaw-to-open-reverse-shells/
https://vulncheck.com/blog/four-faith-cve-2024-12856