Recent investigations by VulnCheck reveal that a critical vulnerability has emerged, actively being exploited in several Four-Faith industrial routers. This high-severity flaw, designated as CVE-2024-12856 and rated with a CVSS score of 7.2, pertains specifically to the F3x24 and F3x36 router models.
While the vulnerability is contingent upon successful authentication by a remote attacker, the exploitation potential escalates significantly if default credentials remain unchanged. The misuse of default access credentials could enable unauthorized operating system command execution, heightening the risk for affected users.
Details from VulnCheck indicate that threat actors have manipulated this flaw, leveraging the inherent security weaknesses of the routers. By taking advantage of factory-set credentials, the attackers can exploit CVE-2024-12856, facilitating the installation of a reverse shell that allows for persistent access to the compromised network.
Initial reports suggest that the attack activity originated from IP address 178.215.238[.]91, previously linked to attacks aimed at exploiting another vulnerability, CVE-2019-12168, which also affects Four-Faith routers. Threat intelligence firm GreyNoise documented this ongoing exploitation surge as recent as December 19, 2024, further underscoring the urgency of addressing these vulnerabilities.
According to Jacob Baines, the exploitation can be executed against the specified router models via the HTTP protocol, particularly targeting the /apply.cgi endpoint. This authentication bypass is made feasible through a flaw in the adj_time_year parameter, which can be manipulated during system time adjustments.
Data collated from Censys indicates that there are over 15,000 internet-exposed devices utilizing these routers. There is increasing evidence suggesting that attacks leveraging this vulnerability may have been in progress since at least early November 2024, raising alarms for users reliant on these systems.
Baines remarked that the attacks have a fragmented presence, stating that while there aren’t a large number of attackers, their actions appear to indiscriminately target the entire internet at a minimal rate, culminating in downloads akin to those seen in Mirai botnet activity.
At present, there is no information regarding any patches aimed at mitigating this vulnerability. VulnCheck responsibly reported the flaw to the Chinese manufacturer on December 20, 2024. The Hacker News has made attempts to reach Four-Faith for comments and will provide updates should further information become available.
Given the scope and technical nature of the attack, organizations should consider implications laid out in the MITRE ATT&CK framework, specifically regarding tactics related to initial access, persistence, and privilege escalation. This incident underscores the critical importance of robust credential management and timely patching of vulnerabilities in industrial-grade devices to safeguard against emerging cybersecurity threats.
