Blog

Hackers exploit Four-Faith router flaw to open reverse shells

3 days ago
1 minute read

Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.

The malicious activity was discovered by VulnCheck, who informed Four-Faith about the active exploitation on December 20, 2024. However, it is unclear if security updates for the vulnerability are currently available.

“We notified Four-Faith and our customers about this issue on December 20, 2024. Questions about patches, affected models, and affected firmware versions should be directed at Four-Faith.” explains the VulnCheck report.

Flaw details and scope

CVE-2024-12856 is an OS command injection flaw impacting Four-Faith router models F3x24 and F3x36, typically deployed in energy and utilities, transportation, telecommunications, and manufacturing sectors.

VulnCheck says hackers can gain access to those devices because many are configured with default credentials, which are easy to brute force.

The attack begins with the transmission of a specially crafted HTTP POST request to the router’s ‘/apply.cgi’ endpoint targeting the ‘adj_time_year’ parameter.

This is a parameter used for adjusting the system time, but it can be manipulated to include a shell command.

VulnCheck warns that the current attacks are similar to those targeting CVE-2019-12168, a similar flaw through the apply.cgi endpoint, but which performs code injection through the “ping_ip” parameter.

VulnCheck shared a sample payload that creates a reverse shell to an attacker’s computer, giving them full remote access to the routers.

Setting up a reverse shell
Setting up a reverse shell
Source: VulnCheck

After the device’s compromise, the attackers may modify its configuration files for persistence, explore the network for other devices to pivot to, and generally escalate the attack.

Censys reports that there are currently 15,000 internet-facing Four-Faith routers that could become targets.

Users of those devices should ensure they’re running the latest firmware version for their model and change the default credentials to something unique and strong (long).

VulnCheck has also shared a Suricata rule to detect CVE-2024-12856 exploitation attempts and block them in time.

Finally, users should contact their Four-Faith sales representative or customer support agent to request advice on how to mitigate CVE-2024-12856.


Source link

Tags
3 days ago
1 minute read

Related Articles

This Free Scavenger Hunt Makes Comic and Anime Conventions so Much Better

2 hours ago

4 Problems I Had With My Nintendo Switch Pro Controller (And How I Fixed Them)

2 hours ago

How to find the product key of your Windows 10 or Windows 11 PC

2 hours ago

Google’s efficiency drive continues as CEO reveals plans to cut management roles

3 hours ago

How to watch Auckland Classic ASB tennis 2025 live stream online

3 hours ago

Samsung bets big on OLED and gaming with its 2025 monitor lineup

4 hours ago

MacBook Pro M4 Pro Review: Super-powered and Super-pricey

5 hours ago

Chinese threat actors breached the US Treasury in ‘major incident’ – here’s what you need to know

6 hours ago

With Avian Flu a Risk, Choose Your Plant Fertilizer More Carefully

7 hours ago

I Wish Facebook Was as Good at Suggesting Content as It Is at Suggesting Ads

7 hours ago
Back to top button
close