Four-Faith industrial routers, more specifically models F3x24 and F3x36, are susceptible to a critical security vulnerability that has been identified as CVE-2024-12856.
The router’s apply.cgi script, which is in charge of adjusting the system time, is the location of this vulnerability where it can be found.
Through the manipulation of the adj_time_year parameter during a system time modification request, the vulnerability enables remote attackers to carry out arbitrary commands on the operating system.
The application.cgi script contains a vulnerability that arises as a result of improper input validation and sanitization.
By crafting a specially formatted HTTP POST request that contains malicious commands within the adj_time_year field, attackers are able to take advantage of this vulnerability.
Attackers have the potential to exploit this vulnerability in order to gain unauthorized access to the router’s operating system if the router is still accessible over the internet and the default credentials have not been changed.
They could potentially gain control of the device, compromise sensitive data, disrupt critical operations, and potentially pivot to other systems within the target network if they are successful in exploiting the vulnerability.
Researchers detected exploitation attempts from IP address 178.215.238.91 targeting a specific vulnerability, which aligns with a November 2024 blog post documenting similar exploitation activity, including a matching User-Agent, as they observed a distinct payload in these attacks.
It is possible for this Suricata rule to identify potential attempts to exploit the vulnerability known as CVE-2024-12856, which is present in Four-Faith devices.
It identifies malicious HTTP POST requests to the “/apply.cgi” endpoint with specific headers and a request body containing “change_action=adjust_sys_time” and a pattern matching the expected format of the exploit payload.
On December 20, 2024, VulnCheck informed both Four-Faith and our customers about a vulnerability actively exploited in the wild. Inquiries regarding patches, impacted models, and affected firmware versions should be directed to Four-Faith.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical Next.js Cache Poisoning Flaw Triggers Denial of Service Attacks")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Severe Hikvision applyCT Flaw Allows Remote Code Execution on Devices")
