Over 15,000 Four-Faith Routers Vulnerable to New Exploit

Over 15,000 Four-Faith Routers Vulnerable to New Exploit

High-Severity Vulnerability Discovered in Four-Faith Routers: What You Need to Know

A critical security vulnerability affecting specific Four-Faith router models has been identified, with active exploitation reported in the wild. This flaw, tracked as CVE-2024-12856, poses significant risks to users who have yet to secure their devices properly. The vulnerability, which has a CVSS score of 7.2, is an operating system (OS) command injection issue impacting the F3x24 and F3x36 models.

While the severity of CVE-2024-12856 is somewhat mitigated by the requirement for remote attackers to authenticate themselves, the real danger lies in users not changing the default credentials. If left unchanged, attackers can gain unauthorized access, potentially leading to OS command execution without authentication.

Understanding CVE-2024-12856

Recent findings from VulnCheck reveal that threat actors are actively exploiting this vulnerability. By leveraging default credentials, hackers can execute a reverse shell, providing persistent remote access to affected routers. The exploitation attempts have been traced back to an IP address (178.215.238[.]91) known for previous attacks targeting another remote code execution flaw, CVE-2019-12168, which also affects Four-Faith routers. As reported by the threat intelligence firm GreyNoise, attempts to exploit CVE-2019-12168 have been documented as recently as December 19, 2024.

How the Exploit Works

Jacob Baines, a security researcher, explains that the attack can be executed against the Four-Faith F3x24 and F3x36 models via HTTP using the /apply.cgi endpoint. The systems are particularly vulnerable when users attempt to adjust the system time with the adj_time_year parameter.

Current Impact and Statistics

According to data from Censys, there are over 15,000 internet-facing Four-Faith devices, highlighting the potential scale of the issue. Evidence suggests that exploitation attempts may have been occurring since at least early November 2024, raising concerns for users of affected models.

What Users Should Do

To mitigate the risks associated with CVE-2024-12856, users should:

  • Change Default Credentials: Immediately update the default login details for affected routers.
  • Monitor Network Activity: Regularly check logs for any unauthorized access attempts.
  • Update Firmware: Ensure that your router’s firmware is up-to-date to protect against known vulnerabilities.

For further reading on network security best practices, visit the Cybersecurity & Infrastructure Security Agency (CISA).

Stay Informed and Protected

As cyber threats continue to evolve, staying informed about vulnerabilities like CVE-2024-12856 is crucial. If you found this article informative, we invite you to share your thoughts in the comments below or read more related articles on our website. Follow us on Twitter and LinkedIn for the latest updates on cybersecurity news.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *