A newly discovered high-severity vulnerability in Four-Faith routers is being actively exploited in the wild, potentially affecting over 15,000 internet-connected devices, according to security researchers at VulnCheck.
The vulnerability (CVE-2024-12856), which carries a CVSS score of 7.2, allows attackers to execute operating system commands on Four-Faith router models F3x24 and F3x36. While the flaw requires authentication, devices still using default login credentials remain particularly vulnerable to unauthorized access.
Security researcher Jacob Baines revealed that attackers can exploit the vulnerability through the routers' HTTP interface using the /apply.cgi endpoint. The flaw specifically targets the adj_time_year parameter when modifying system time settings.
VulnCheck researchers observed active exploitation attempts originating from IP address 178.215.238[.]91, which has been previously linked to attacks targeting another Four-Faith router vulnerability (CVE-2019-12168). The current attacks leverage default credentials to exploit CVE-2024-12856 and establish persistent remote access through a reverse shell.
According to data from Censys, more than 15,000 potentially vulnerable Four-Faith routers are currently exposed to the internet. Evidence suggests that exploitation attempts may have begun as early as November 2024.
VulnCheck reported the vulnerability to Four-Faith on December 20, 2024, but no patches are currently available. Users of affected router models are advised to change default credentials immediately to mitigate potential attacks.
The Chinese manufacturer has not yet responded to requests for comment regarding the security issue.