Four-Faith Routers Under Attack: Hackers Exploit Vulnerability to Open Reverse Shells

December 30, 2024

A post-authentication remote command injection vulnerability, labeled as CVE-2024-12856, in Four-Faith routers is being exploited by cybercriminals to establish reverse shells, a channel that allows them to communicate with the compromised systems. The exploitation was detected and reported to Four-Faith by a cybersecurity firm on December 20, 2024.

The vulnerability is present in the F3x24 and F3x36 models of Four-Faith routers, which are commonly deployed in various sectors including energy, utilities, transportation, telecommunications, and manufacturing. The attackers are able to gain access to these devices largely because many of them are configured with default credentials, making them susceptible to brute force attacks.

The exploitation begins with the transmission of a specially crafted HTTP POST request to the router's '/apply.cgi' endpoint that targets the 'adj_time_year' parameter. This parameter, which is used for adjusting the system time, can be manipulated to include a shell command. The cybersecurity firm warned that the current attacks bear resemblance to those targeting CVE-2019-12168, a similar vulnerability that allows code injection through the 'ping_ip' parameter.

In the attack, the threat actors send a payload that creates a reverse shell to their own computer, providing them with full remote access to the routers. Once the device is compromised, the attackers can alter its configuration files to maintain their access, explore the network for other devices to compromise, and generally escalate the attack.

According to Censys, there are currently 15,000 internet-facing Four-Faith routers that could potentially be targeted. Users of these devices are advised to ensure that they are running the latest firmware version for their model and to change the default credentials to something unique and strong. The cybersecurity firm has also shared a Suricata rule that can detect and block attempts to exploit CVE-2024-12856. Users are also advised to reach out to their Four-Faith sales representative or customer support agent for advice on how to mitigate CVE-2024-12856.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.