Thousands of industrial routers vulnerable to command injection flaw
Thousands of industrial routers from a Chinese telecommunications equipment manufacturer are vulnerable to a post-authentication vulnerability, with indications it is already being exploited in the wild to infect devices with Mirai malware.
On Dec. 27, VulnCheck detailed the vulnerability, tracked as CVE-2024-12856, wherein an attacker can leverage default credentials in Four-Faith F3x24 and F3x36 routers to remotely inject commands into the operating system.
Meanwhile, a malicious IP was observed attempting to leverage the vulnerability. VulnCheck Chief Technology Officer Jacob Baines wrote that his team identified the same user agent referenced in a November blog by DucklingStudio attempting to use the vulnerability to deploy a different malware payload.
Baines also posted a video demonstration of the flaw being exploited on X.
The vulnerability appears to be connected to the spread of a variant of Mirai, the infamous malware and botnet known to target Internet of Things devices. DucklingStudio used a honeypot to detect the malware on Nov. 9, and an update on Dec. 28 explicitly connected it to the listed CVE for Four-Faith’s industrial routers.
Variants of Mirai —first observed in 2016 and originally written by a group of teenagers to create botnets — remain one of the most popular forms of malware attacking IoT devices worldwide. According to Zscaler, Mirai was identified in over a third of all IoT malware attacks between June 2023 and May 2024, far outpacing other malware families, while more than 75% of blocked IoT transactions were linked to the malicious code.
VulnCheck wrote up a rule for detecting instances of infected routers using the open-source threat detection tool Suricata:
According to Censys, there are at least 15,000 connected routers potentially vulnerable to the flaw, and VulnCheck left open the possibility that additional router products may be affected. The National Institute of Standards and Technology’s National Vulnerability Database lists the severity of the bug at 7.2 and notes that firmware version 2.0 (and possibly others) allows for authenticated and remote command injection attacks over HTTP.
Cale Black, an initial access exploit engineer for VulnCheck, told CyberScoop that the affected equipment is primarily deployed as an industrial router, with a focus on IoT and 4G networking. Exposed routers were primarily located in Turkey, China, Spain and Hungary, while 16 other countries had at least one exposed and public Four-Faith system in place.
While the flaw does require the attacker to have existing authentication, the fact that the routers are hardcoded with default credentials that were identified as part of a previous CVE means “it can be used to trigger any command on the routers as the administrative user,” Black said.
He added that while VulnCheck has only confirmed exploitability in F3X24 and F3X36 routers, “it is common for functionality to be deployed across the product lines by Four-Faith” and that the company may have other routers that are similarly affected.
The listed CVE does not yet include details about patching or remediation. Baines noted in his blog that VulnCheck notified Four-Faith of the vulnerability and affected routers on Dec. 20, and directed further questions about remediation to the company.
Four-Faith did not return a request for comment sent through its website prior to publication. Black said that VulnCheck has communicated with Four-Faith about the vulnerability multiple times since initially reaching out on Dec. 20 and that his understanding is the company is currently testing the flaw on their end.
According to the company’s website, Four-Faith is headquartered in Xiamen, a city in the Southeastern province of Fujian, China. It specializes in manufacturing industrial routers, Internet of Things devices, modems and other wireless communications technologies, and claims to have exported its technologies to over 100 countries.
