15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials

A high-severity flaw impacting select Four-Faith industrial routers has come under active exploitation in the wild, according to new findings from VulnCheck.

The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36.

The severity of the shortcoming is lower due to the fact that it only works if the remote attacker is able to successfully authenticate themselves. However, if the default credentials associated with the routers have not been changed, it could result in unauthenticated OS command execution.

In the attack detailed by VulnCheck, the unknown threat actors have been found to leverage the router’s default credentials to trigger exploitation of CVE-2024-12856 and launch a reverse shell for persistent remote access.

The exploitation attempt originated from the IP address 178.215.238[.]91, which has been previously used in connection with attacks seeking to weaponize CVE-2019-12168, another remote code execution flaw affecting Four-Faith routers. According to threat intelligence firm GreyNoise, efforts to exploit CVE-2019-12168 have been recorded as recently as December 19, 2024.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint,” Jacob Baines said in a report. “The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device’s system time via submit_type=adjust_sys_time.”

Data from Censys shows that there are over 15,000 internet-facing devices. There is some evidence suggesting that attacks exploiting the flaw may have been ongoing since at least early November 2024.

Baines told The Hacker News that “the attacks are and aren’t widespread,” adding “there is a small amount of attackers, but they appear to be spamming the entire internet (at a very low rate).” The attacks culminated in the download of a Mirai-like payload.

There is currently no information about the availability of patches, although VulnCheck stated that it responsibly reported the flaw to the Chinese company on December 20, 2024. The Hacker News has reached out to Four-Faith for comment prior to the publication of this story and will update the piece if we hear back.

Source

Leave a Comment Cancel Reply

London, GB

5:58 am, May 19, 2025

10°C

L: 10° | H: 11°

Feels like 10°C° broken clouds

Humidity: 84 %

Pressure: 1020 mb

Wind: 5 mph NNE

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 75%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 5:02 am

Sunset: 8:51 pm

DailyHourly

Daily ForecastHourly Forecast

Today 10:00 pm

10° | 11°°C 0 mm 0% 11 mph 84 % 1021 mb 0 mm/h

Tomorrow 10:00 pm

10° | 21°°C 0 mm 0% 9 mph 69 % 1022 mb 0 mm/h

Wed May 21 10:00 pm

14° | 22°°C 0 mm 0% 12 mph 63 % 1020 mb 0 mm/h

Thu May 22 10:00 pm

11° | 18°°C 0 mm 0% 12 mph 64 % 1023 mb 0 mm/h

Fri May 23 10:00 pm

7° | 19°°C 0 mm 0% 9 mph 69 % 1024 mb 0 mm/h

Today 7:00 am

10° | 11°°C 0 mm 0% 6 mph 84 % 1021 mb 0 mm/h

Today 10:00 am

12° | 15°°C 0 mm 0% 7 mph 75 % 1021 mb 0 mm/h

Today 1:00 pm

16° | 19°°C 0 mm 0% 9 mph 54 % 1020 mb 0 mm/h

Today 4:00 pm

19° | 19°°C 0 mm 0% 11 mph 40 % 1019 mb 0 mm/h

Today 7:00 pm

17° | 17°°C 0 mm 0% 9 mph 46 % 1020 mb 0 mm/h

Today 10:00 pm

13° | 13°°C 0 mm 0% 6 mph 63 % 1021 mb 0 mm/h

Tomorrow 1:00 am

11° | 11°°C 0 mm 0% 5 mph 66 % 1022 mb 0 mm/h

Tomorrow 4:00 am

10° | 10°°C 0 mm 0% 5 mph 69 % 1021 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€92,276.09	-0.12%
Ethereum(ETH)	€2,129.32	-4.13%
Tether(USDT)	€0.89	-0.01%
XRP(XRP)	€2.10	-0.89%
Solana(SOL)	€147.33	-1.79%
USDC(USDC)	€0.89	0.00%
Dogecoin(DOGE)	€0.196382	1.50%
Shiba Inu(SHIB)	€0.000013	-0.41%
Pepe(PEPE)	€0.000012	4.30%
Peanut the Squirrel(PNUT)	€0.285018	5.43%

15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us