More than 15,000 internet-exposed Four-Faith F3x24 and F3x36 routers could potentially be compromised in ongoing intrusions exploiting the high-severity operating system command injection flaw, tracked as CVE-2024-12856, according to The Hacker News.
Attacks against the vulnerable routers have been conducted from the same IP address previously leveraged to exploit the Four-Faith remote code execution vulnerability, tracked as CVE-2019-12168, with the new issue then used to deploy a reverse shell to ensure persistence and prompt unauthenticated OS command execution, a report from VulnCheck revealed.
"The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device's system time via submit_type=adjust_sys_time," said VulnCheck researcher Jacob Baines.
While the issue has already been reported, Four-Faith has yet to provide fixes for the vulnerability, noted VulnCheck.
