Researchers report active exploitation of flaw in Four-Faith industrial routers

A vulnerability in Four-Faith routers is being actively exploited by threat actors. Four-Faith devices are commonly used in energy, utilities, transportation, telecommunications, and manufacturing sectors. Censys reports approximately 15,000 internet-facing Four-Faith routers are potentially vulnerable.

The vulnerability is tracked as CVE-2024-12856 (CVSS score 7.2) - OS command injection vulnerability, exploitable through POST request to '/apply.cgi' endpoint. Targets 'adj_time_year' parameter for system time adjustment and enables remote command execution after authentication.

The flaw affects router models F3x24 and F3x36

Attackers are exploiting devices using default credentials through brute force attacks. Once compromised, attackers can establish reverse shells for full remote access, modify configuration files for persistence, and use the router as a pivot point for lateral movement.

The issue was reported to Four-Faith on December 20, 2024. Currently, there is no confirmation of available security updates. VulnCheck has released a Suricata rule to detect and block exploitation attempts.

Users are advised to update to the latest firmware version, change default credentials to strong, unique passwords and contact Four-Faith support for specific mitigation guidance

The vendor has not yet published an official security advisory for this vulnerability. Users should monitor Four-Faith's security announcements for updates.