Hackers exploit Four-Faith router flaw to open reverse shells

Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.

The malicious activity was discovered by VulnCheck, who informed Four-Faith about the active exploitation on December 20, 2024. However, it is unclear if security updates for the vulnerability are currently available.

“We notified Four-Faith and our customers about this issue on December 20, 2024. Questions about patches, affected models, and affected firmware versions should be directed at Four-Faith.” explains the VulnCheck report.

Flaw details and scope

CVE-2024-12856 is an OS command injection flaw impacting Four-Faith router models F3x24 and F3x36, typically deployed in energy and utilities, transportation, telecommunications, and manufacturing sectors.

VulnCheck says hackers can gain access to those devices because many are configured with default credentials, which are easy to brute force.

The attack begins with the transmission of a specially crafted HTTP POST request to the router’s ‘/apply.cgi’ endpoint targeting the ‘adj_time_year’ parameter.

This is a parameter used for adjusting the system time, but it can be manipulated to include a shell command.

VulnCheck warns that the current attacks are similar to those targeting CVE-2019-12168, a similar flaw through the apply.cgi endpoint, but which performs code injection through the “ping_ip” parameter.

VulnCheck shared a sample payload that creates a reverse shell to an attacker’s computer, giving them full remote access to the routers.

**Setting up a reverse shell**
*Source: VulnCheck*

After the device’s compromise, the attackers may modify its configuration files for persistence, explore the network for other devices to pivot to, and generally escalate the attack.

Censys reports that there are currently 15,000 internet-facing Four-Faith routers that could become targets.

Users of those devices should ensure they’re running the latest firmware version for their model and change the default credentials to something unique and strong (long).

VulnCheck has also shared a Suricata rule to detect CVE-2024-12856 exploitation attempts and block them in time.

Finally, users should contact their Four-Faith sales representative or customer support agent to request advice on how to mitigate CVE-2024-12856.

Source

Leave a Comment Cancel Reply

London, GB

4:58 pm, Jan 16, 2025

9°C

L: 8° | H: 10°

Feels like 7°C° overcast clouds

Humidity: 83 %

Pressure: 1034 mb

Wind: 7 mph SW

Wind Gust: 9 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 100%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 7:58 am

Sunset: 4:21 pm

DailyHourly

Daily ForecastHourly Forecast

Today 9:00 pm

8° | 10°°C 0 mm 0% 4 mph 87 % 1034 mb 0 mm/h

Tomorrow 9:00 pm

3° | 7°°C 0 mm 0% 4 mph 96 % 1035 mb 0 mm/h

Sat Jan 18 9:00 pm

2° | 6°°C 0 mm 0% 3 mph 87 % 1033 mb 0 mm/h

Sun Jan 19 9:00 pm

1° | 6°°C 0 mm 0% 6 mph 91 % 1023 mb 0 mm/h

Mon Jan 20 9:00 pm

3° | 7°°C 0 mm 0% 5 mph 92 % 1021 mb 0 mm/h

Today 6:00 pm

6° | 9°°C 0 mm 0% 4 mph 83 % 1034 mb 0 mm/h

Today 9:00 pm

5° | 8°°C 0 mm 0% 4 mph 87 % 1034 mb 0 mm/h

Tomorrow 12:00 am

4° | 6°°C 0 mm 0% 4 mph 93 % 1035 mb 0 mm/h

Tomorrow 3:00 am

4° | 4°°C 0 mm 0% 4 mph 96 % 1034 mb 0 mm/h

Tomorrow 6:00 am

3° | 3°°C 0 mm 0% 3 mph 95 % 1035 mb 0 mm/h

Tomorrow 9:00 am

3° | 3°°C 0 mm 0% 4 mph 94 % 1035 mb 0 mm/h

Tomorrow 12:00 pm

7° | 7°°C 0 mm 0% 3 mph 76 % 1035 mb 0 mm/h

Tomorrow 3:00 pm

7° | 7°°C 0 mm 0% 3 mph 75 % 1034 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€96,509.93	0.23%
Ethereum(ETH)	€3,244.66	-0.32%
XRP(XRP)	€3.28	14.73%
Tether(USDT)	€0.97	-0.02%
Solana(SOL)	€207.23	7.77%
Dogecoin(DOGE)	€0.372648	2.58%
USDC(USDC)	€0.97	0.00%
Shiba Inu(SHIB)	€0.000021	0.97%
Pepe(PEPE)	€0.000017	0.37%
Peanut the Squirrel(PNUT)	€0.59	-2.27%

Hackers exploit Four-Faith router flaw to open reverse shells

Share:

Flaw details and scope

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us