A critical vulnerability, designated CVE-2024-12856, has been discovered in Four-Faith routers, specifically models F3x24 and F3x36, enabling remote code execution. The flaw resides in the `/apply.cgi` endpoint, where manipulation of the `adj_time_year` parameter allows attackers to inject malicious commands and gain unauthorized access. This post-authentication vulnerability bypasses security measures using default credentials, allowing attackers to open reverse shells back to their systems. Over 15,000 devices are estimated to be at high risk due to default credential use and internet exposure.
The exploitation of this vulnerability poses a serious threat, potentially leading to the installation of malware, data theft, and significant network disruptions. Observed attack attempts have been linked to a Mirai malware variant, suggesting a targeted campaign. Users of affected Four-Faith routers are urged to take immediate action by updating to the latest firmware and enforcing strong password policies. A Suricata rule has also been published by VulnCheck which helps to identify devices already affected.