Researchers have discovered a critical new weakness posing a security threat to Four-Faith’s industrial routers along with the fact that it is being targeted currently. The bug is a command injection one, and its exploitation enables the deployment of a reverse shell with further access to the affected devices. This type of vulnerability is known with the identification number CVE-2024-12856 and has been rated with a CVSS score of 7.2. Read on to learn more about this shortcoming, inherent only to the F3x24 and F3x36 models that have firmware 2.0 installed.
Vulnerability Overview
Most of the Four-Faith industrial routers, especially the F3x24 and F3x36 that are running on firmware version 2.0, were affected. With about 15,000 devices exposed to the internet, worries about the wider defenselessness of various sectors, with core infrastructure such as ICS and OT, intensify.
The issue is caused by a flaw in the apply.cgi command, which is in charge of changing the system time. The aggressors can easily use this vulnerability by employing HTTP and specifically crafted POST requests. Although authentication is needed for this weakness, it is also possible to perform arbitrary OS commands on the devices the flaw impacts.
A major part of this risk is that version 2.0 of these gateways use default login credentials. If these details are not updated, an attacker can exploit this easy entry point without needing a password—meaning, they can remotely run commands on the operating system without any authentication.
The Nature of Attack and Exploitation
Cyberpirates can use a shell to gain remote access to affected routers. This access allows them to do harmful things, such as leaking data, changing frameworks, or using network switches to infiltrate other connected programs.
VulnCheck investigators first noticed specific incursions targeting a vulnerability in November 2024. These raids focused on POST requests sent over HTTP to change the system time, similar to how previous exploits used the apply.cgi endpoint. However, while the first few cracks at exploitation resembled attempts that manipulated CVE-2019-12168 to some extent, the method and payload of the two were different.
The Far-reaching Impact
Four-Faith industrial routers are popular with industries depending on operational technology (OT) and industrial control systems (ICS), including manufacturing, energy, and utility. An actual incursion could provide adversaries with the possibility to compromise entire infrastructures and gain control over them, possibly causing loss of production or damage to equipment.
The effect could be large in scale, which is not surprising, as many of these devices are exposed to the internet and might have been set up without the correct security standards. Demo accounts are another well-known but similarly fatal mistake that makes devices highly susceptible to infiltrations, since default access opens the door wide.
Mitigation and Recommendations
Organizations using Four-Faith F3x24 and F3x36 models are strongly advised to take immediate action to mitigate the risk posed by this vulnerability:
Update Firmware: Manufacturers should release patches or updated firmware versions to address CVE-2024-12856. Businesses should upgrade to the latest available firmware as soon as possible.
Change Default Credentials: Ensure all devices are configured with strong, unique passwords to prevent unauthenticated passes.
Limit Internet Exposure: Restrict access to affected devices by using firewalls or VPNs to prevent unauthorized Internet access to critical software.
Monitor Network Traffic: Monitor for unusual traffic patterns or signs of exploitation attempts, particularly POST requests to the apply.cgi endpoint.
Implement Intrusion Detection: Employ intrusion detection and prevention systems (IDS/IPS) to detect and block malicious activities associated with this susceptibility.
The attack based on CVE-2024-12856 highlights the growing threats to industrial grids, especially with critical devices connected to the internet without proper security. Companies using Four-Faith routers must address compromised devices and enhance network protection. There’s an urgent need for updated firmware and secure corporate authentication to safeguard industrial systems and operational technology.
12 Critical Tips from Global Cybersecurity Authorities
The following tips have been provided in a broader form by many Western cybersecurity agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), and its counterparts in Canada, Australia, the United Kingdom, and the European Commission.
These agencies have observed that most of the operations technology products do not incorporate even the minimum guarantee that is requisite for protection against attackers. After companies discover weaknesses, they can identify areas of concern in control systems used by various critical infrastructure sectors. To reduce the risks associated with new software purchases, operational technology owners should consider the following 12 safety factors:
Configuration Management: Keep tools properly configured and make sure this state is fixed to avoid any changes during the product’s life.
Logging in the Baseline Product: Ensure that the solutions being deployed record all important activities. This will help identify intrusions and support recovery efforts.
Open Standards: Apply global technical standards to improve agility and security in your operations.
Ownership: See to it that the buyer owns all aspects of the program, right from making changes to maintaining it and even handling issues that may arise effectively.
Safekeeping Data: Make sure you are preserving business data correctly, in terms of confidentiality, integrity, and availability in operations.
Protected by Default: When you ensure the software is secure upon delivery, you will only need minor adjustments to the default settings to protect against basic threats.
Safe Communications: Rely on SSL protocols and encryption as a measure of safeguarding sensitive communication in operative technology devices.
Secure Controls: That’s why it’s important to get proactive about the controls that help tackle dangers from harmful commands and intrusions.
Strong Authentication: Confirm that your enterprise has very strong authentication in place, to ensure that only the right individuals get access.
Threat Modeling: Help defenders by outlining the essential controls and defenses they need. Consider the program’s type, the likely profile of cyberpunks, the most common ways they might attack, and the specific assets that look the most valuable.
Vulnerability Management: Build a solid structure to detect, fix, and handle the defenselessness in the operational technology solutions.
Upgrade and Patch Tooling: Keeping your digital infrastructure up-to-date will ensure that all the products run smoothly and are susceptible to being fixed as many times as security reasons require them to be.
Note that these elements cannot be isolated from each other but should be viewed and used as a set of factors that would facilitate the identification and adoption of secure outcomes.
Furthermore, if the attackers get their hands on any of the data routers generated, they can breach safety measures or paralyze operations. That is why corporations need advanced frameworks to protect data in operational technology systems and monitor changes or suspicious activities.
The above-mentioned agencies also focused on the importance of Security in Big and Open Data (SBOD) which means solutions should be resistant to many threats and vulnerabilities without needing human intervention. Last but not least, secure controls are necessary to shield the devices from receiving malicious commands, as the invaders may be already inside the network.
Conclusion
As recent analysis shows, Operational Technology (OT) systems are likely to become prime targets in industrial environments, especially with menaces like CVE-2024-12856. Therefore, it’s crucial to prioritize digital safety rather than treating it as an afterthought. By adopting the security advice given out by the above-listed Western agencies, owners and operators can better select new products to obtain and also bring forth safety measures to safeguard their fundamental infrastructure. Anti-viral by design, strong authentication, updates, and detailed threat profiling are critical to creating an effective layer of protection against more advanced cyber troubles within the ICS/OT domain.
