15,000+ Four-Faith Routers Vulnerable to Exploits Mostly Due to Default Credentials

• Four-Faith routers are reportedly under active exploitation in the wild due to a recently uncovered flaw.
• The operating system command injection vulnerability is suspected to impact more than 15,000 internet-exposed routers.
• Hackers can only abuse the flaw while authenticated, but most of these devices still use default credentials.

A recently discovered high-severity vulnerability affecting selected router models developed by Four-Faith Technology has reportedly come under active exploitation, possibly impacting north of 15,000 internet-exposed devices.

The flaw tracked as CVE-2024-12856 carries a CVSS score of 7.2 and has been identified as an operating system (OS) command injection vulnerability, according to findings by researchers at VulnCheck.

It impacts the router models F3x24 and F3x36, potentially allowing threat actors to execute unauthorized OS commands. However, this flaw can only be exploited if attackers successfully authenticate with the device. 

Worryingly, many devices remain secured with their factory default credentials, significantly lowering the barrier for exploitation.

Unknown threat actors are leveraging default credentials to exploit the vulnerability. Attackers exploit the flaw via a reverse shell, enabling persistent remote access to impacted routers.

Further analysis identified the source of one exploitation attempt as the IP address 178.215.238[.]91, a known entity previously observed in campaigns targeting vulnerability CVE-2019-12168—another critical remote code execution (RCE) issue linked to Four-Faith routers. 

Until a patch is issued, users of Four-Faith routers are strongly advised to change default credentials immediately on all devices to reduce the risk of unauthorized access and restrict device access by using network firewalls to prevent exposure of these devices to the public internet.

Also, users should monitor for malicious IPs, including 178.215.238[.]91, which is linked to previous exploitation attempts, and regularly review device logs to identify unusual activity.

In October, more than 700,000 DrayTek Vigor routers were open to the internet and exposed to RCE due to a severe flaw, as security researchers discovered 14 new vulnerabilities.