In late 2024, VulnCheck discovered an authenticated OS command injection vulnerability in Four-Faith industrial routers, tracked as CVE-2024-12856. This high-severity flaw (CVSS score: 7.2) affects at least two major product lines:
• F3x24 Wi-Fi Industrial Router
• F3x36 LTE Wireless Router
Vulnerability Overview
Devices running firmware version 2.0 or later are vulnerable to this flaw, which allows remote attackers to execute arbitrary operating system commands via crafted HTTP POST requests.
• CWE Mapping: CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
• MITRE ATT&CK: T1202 – Indirect Command Execution
According to Censys, over 10,000 devices are currently exposed to the internet and potentially vulnerable.
Technical Details
The vulnerability lies in the adjust_sys_time function, which is accessible through the apply.cgi endpoint. When a malicious payload is inserted into the adj_time_year parameter, the input is improperly sanitized (or not sanitized at all), leading to direct execution of commands via the underlying Real-Time Clock utility.
Exploitation Path:
• Authentication is required, but if the device is using default credentials, attackers can chain the misconfiguration with this vulnerability to achieve unauthenticated RCE.
• The payload is executed upon successful HTTP POST communication.
Signature Rule & False Positive Fix
The ICSFusion Research Team observed that existing public Snort rules for CVE-2024-12856 generate excessive false positives, even with legitimate requests. To address this, we developed an improved Snort rule using a refined PCRE regex that accurately detects malicious requests without flagging normal device operations.
alert http any any -> any any (
msg:"ICSF EXPLOIT Possible Four-Faith RCE CVE-2024-12856";
flow:to_server;
http_method;
content:"POST",nocase;
http_uri; content:"apply.cgi",nocase;
http_raw_header; content:"Authorization",nocase;
http_raw_body; content:"change_action=",nocase;
content:"adjust_sys_time";
pcre:"/adj_time_[a-zA-Z]+=[^&]*[^\d&][^&][&|\w]/";
classtype:web-application-attack;
reference:cve,CVE-2024-12856;
reference:url,https://vulncheck.com/blog/four-faith-cve-2024-12856;
sid:15510002; rev:1; metadata:created_at 2024_12_30;
)
How it works:
• Triggers only when a POST request to apply.cgi includes:
o Authorization header (authentication required),
o change_action= and adjust_sys_time in the body,
o Malicious or malformed adj_time_* parameter values.
• Allows legitimate time-setting parameters (e.g., numeric values like adj_time_year=2025) to pass without alerting.
Real-World Exploitation: The “Gayfemboy” Botnet
This vulnerability is actively being exploited to deploy a Mirai-variant botnet named Gayfemboy, as reported by QAX Lab. The botnet uses a multi-vector infection strategy, combining:
• CVE-2024-12856
• 20+ other known/unknown IoT vulnerabilities
• Weak/default credentials
The infections have spread worldwide, with the most affected regions being:
• China
• United States
• Iran
• Russia
• Türkiye
________________________________________
Recommendations
1. Update firmware to the latest patched version provided by Four-Faith.
2. Change default credentials immediately if still in use.
3. Apply updated Snort or Suricata rules to detect and block malicious payloads.
4. Monitor for suspicious outbound connections that may indicate botnet activity.
5. Isolate or restrict internet-facing access to industrial routers whenever possible.
________________________________________
References
