15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials

A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck.

The vulnerability, tracked as CVE-2024–12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36.

The severity of the shortcoming is lower due to the fact that it only works if the remote attacker is able to successfully authenticate themselves. However, if the default credentials associated with the routers have not been changed, it could result in unauthenticated OS command execution.

In the attack detailed by VulnCheck, the unknown threat actors have been found to leverage the router’s default credentials to trigger exploitation of CVE-2024–12856 and launch a reverse shell for persistent remote access.

The exploitation attempt originated from the IP address 178.215.238[.]91, which has been previously used in connection with attacks seeking to weaponize CVE-2019–12168, another remote code execution flaw affecting Four-Faith routers. According to threat intelligence firm GreyNoise, efforts to exploit CVE-2019–12168 have been recorded as recently as December 19, 2024.