Pierluigi Paganini
December 30, 2024
Cybersecurity firm VulnCheck warns that a high-severity flaw, tracked as CVE-2024-12856 (CVSS score: 7.2), in Four-Faith routers is actively exploited in the wild.
The vulnerability is an operating system (OS) command injection vulnerability that impacts Four-Faith router models F3x24 and F3x36.
“At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi.” reads the advisory. “Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.”
VulnCheck researchers reported that authenticated attackers exploited default router credentials to execute unauthenticated remote command injections.
“VulnCheck observed a new post-authentication vulnerability affecting Four-Faith industrial routers being exploited in the wild.” reads the report published by VulnCheck. “The attacker leveraged the router’s default credentials, effectively resulting in unauthenticated remote command injection.”
Attackers are targeting Four-Faith F3x24 and F3x36 routers via the /apply.cgi endpoint over HTTP.
Censys identified more than 15,800 devices exposed inline vulnerable to OS command injection via the adj_time_year parameter when adjusting system time, enabling reverse shell exploitation.
“VulnCheck observed 178.215.238[.]91 attempting to exploit this vulnerability. Additionally, we note that this November 2024 blog also calls out exploitation of this vulnerability.” continues the cybersecurity firm.
Cybersecurity firm GreyNoise observed CVE-2019-12168 exploitation attempts on December 19, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Four-Faith routers)
