The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

15,000+ Four-Faith Routers at Risk Due to Default Credentials

ByHoplon Infosec
Published28 Dec, 2024
15,000+ Four-Faith Routers at Risk Due to Default Credentials
Hoplon Infosec28 Dec, 2024

A newly discovered high-severity vulnerability in specific Four-Faith Routers models is actively exploited in the wild. Researchers at VulnCheck uncovered this flaw, tracked as CVE-2024-12856, which poses a significant risk to users of these devices. In this article, we will explore the details of the vulnerability, its implications, and what affected users can do to protect themselves.

Understanding CVE-2024-12856

CVE-2024-12856 is an operating system (OS) command injection vulnerability with a CVSS score 7.2. This score indicates a high severity level, although certain mitigating factors slightly reduce its impact. The flaw affects Four-Faith router models F3x24 and F3x36 and requires attackers to authenticate themselves before exploitation. However, if the router’s default credentials have not been changed, attackers could bypass authentication and execute OS commands remotely.

The vulnerability stems from improper input handling in the adj_time_year parameter when modifying the system time via the /apply.cgi endpoint. This allows attackers to inject and execute arbitrary commands on the device.

The Active Exploitation Campaign on Four-Faith Routers

According to VulnCheck, threat actors are actively exploiting CVE-2024-12856. The attackers leverage default credentials to authenticate and then use the vulnerability to gain persistent remote access through a reverse shell. The exploitation was traced back to the IP address 178.215.238.91, previously associated with malicious activities targeting Four-Faith routers.

The same IP address was implicated in attacks exploiting CVE-2019-12168, another remote code execution vulnerability in Four-Faith routers. GreyNoise, a threat intelligence company, observed attempts to exploit CVE-2019-12168 as recently as December 19, 2024. This suggests that the attackers are adept at weaponizing known vulnerabilities to compromise these devices.

Technical Breakdown of the Exploitation

The exploitation process involves sending a crafted HTTP request to the router’s/apply—cgi endpoint. By modifying the adj_time_year parameter, attackers can inject OS commands that the router inadvertently executes. Once thriving, the attackers establish a reverse shell, giving them complete control over the compromised device.

Jacob Baines, a researcher at VulnCheck, provided additional insights into the attack method. He noted that the flaw can be exploited remotely over HTTP and described how the vulnerability could be triggered by adjusting the router’s system time through a specific submission type (submit_type=adjust_sys_time). This technical detail underscores the sophistication of the attack vector.

The scale of the Threat

Data from Censys indicates that over 15,000 internet-facing devices are potentially vulnerable to exploitation. This extensive attack surface heightens the urgency of addressing the issue. Evidence suggests that the exploitation campaign began as early as November 2024, meaning many devices may have already been compromised.

No Patches Yet: What It Means for Users

No official patches have been released to address CVE-2024-12856 as of now. Following responsible disclosure protocols, VulnCheck reported the flaw to Four-Faith on December 20, 2024. The lack of immediate patches leaves users in a precarious position, exposing them to potential exploitation.

Hacker News has contacted Four-Faith for a response but has not yet received a comment. It is unclear when or if a firmware update will be available to fix this critical issue.

Steps to Mitigate the Risk

While waiting for an official patch, affected users can take the following steps to mitigate the risk of exploitation:

Change Default Credentials

One of the primary methods attackers use to exploit this vulnerability is leveraging the router’s default credentials. Changing these credentials to a strong, unique password is a critical first step in securing your device.

Restrict Access to the Router

Restrict access to your router’s administrative interface by configuring it only to allow connections from trusted IP addresses. Disable remote access if it is not necessary.

Monitor Network Traffic

Keep an eye on your network traffic for any unusual activity. If you notice unknown IP addresses attempting to connect to your router, this could indicate an exploitation attempt.

Use a Firewall

Configure a firewall to block unauthorized access to your router. A properly configured firewall can help mitigate the risk of exploitation by filtering out malicious requests.

Check for Updates Regularly

Stay informed about updates and patches from Four-Faith. Regularly check the manufacturer’s website or contact their support Team for any announcements regarding security fixes.

Disconnect Vulnerable Devices

If you suspect your router has been compromised, disconnect it from the internet and reset it to factory settings. Reconfigure it with secure settings before reconnecting it.

Broader Implications for IoT Security

This incident highlights a recurring issue in the Internet of Things (IoT) landscape: the reliance on default credentials and the lack of timely patching. IoT devices, including routers, are often deployed with minimal security measures, making them attractive targets for attackers.

Manufacturers must prioritize security by implementing measures such as:

  • Requiring users to set unique credentials during initial setup.
  • Providing timely patches and updates for identified vulnerabilities.
  • Enhancing input validation to prevent command injection and similar attacks.

Conclusion

The exploitation of CVE-2024-12856 is a stark reminder of the importance of securing internet-connected devices. For users of Four-Faith routers, immediate action is necessary to mitigate the risk of compromise. Changing default credentials, restricting access, and monitoring network activity are essential to protect against this active Threat.

As we await patches from Four-Faith, the broader cybersecurity community must continue to advocate for stronger security practices in the IoT space. Awareness and proactive measures can significantly reduce the impact of such vulnerabilities, safeguarding both individual users and the broader Internet ecosystem.

For More:

https://thehackernews.com/2024/12/15000-four-faith-routers-exposed-to-new.html

About the author

Hoplon Infosec

Hoplon Infosec

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo
Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now
15 Jul, 2026

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now

SonicWall SMA1000 zero-day vulnerabilities are under active attack. See affected versions, CVE details, IOC checks and the patch you need right now.

Read More
Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide
15 Jul, 2026

Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide

Windows 11 KB5101650 is blocked on some Dell PCs after an Intel driver conflict triggered shutdowns and overheating. Here is what happened and what to do.

Read More
OFAC Sanctions First VPN Service Over Ransomware
14 Jul, 2026

OFAC Sanctions First VPN Service Over Ransomware

Learn why OFAC sanctioned First VPN Service and a malware cryptor seller, how 1VPNS helped ransomware groups, and how to defend against FSB router attacks.

Read More
CVE-2026-57807: Critical WordPress SSO Flaw Explained
13 Jul, 2026

CVE-2026-57807: Critical WordPress SSO Flaw Explained

CVE-2026-57807 affects miniOrange OAuth SSO through 38.5.8. Learn who is exposed, how the flaw works, plus safe mitigation and incident response steps.

Read More
Mobile App Security Guide: Risks, Fixes and Best Practices
13 Jul, 2026

Mobile App Security Guide: Risks, Fixes and Best Practices

Mobile app security explained simply, covering real risks, OWASP threats, encryption and practical steps to protect any app from hackers.

Read More
Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims
13 Jul, 2026

Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims

Apple OpenAI lawsuit explained. See what Apple accuses Tang Tan, Chang Liu and OpenAI of stealing, and what it means for hardware security.

Read More