Hackers Exploit Vulnerability In 15,000 Industrial Routers Worldwide

Hackers are targeting a serious security flaw in Four-Faith industrial routers made in China.

The issue, identified as CVE-2024-12856, affects the F3x24 and F3x36 models. It allows attackers to take control of the routers remotely by exploiting their default login credentials, putting thousands of devices at risk. Security researchers at VulnCheck reported the problem.

VulnCheck Chief Technology Officer Jacob Baines reported that his team detected the same user agent mentioned in a November blog by DucklingStudio, which attempted to exploit the vulnerability to deploy a different malware payload. Baines also shared a video demonstrating how the flaw can be exploited.

Gov Security Info explains that Four-Faith routers are commonly used in industries requiring remote monitoring and control. Typical customers include factories, manufacturing plants, industrial automation systems, power grids, renewable energy facilities, water utilities, and transportation companies.

These routers support real-time data transmission for tasks like fleet management and vehicle tracking. Researchers estimate that around 15,000 devices accessible online are vulnerable to the attack, based on a Censys report.

The exploitation allows attackers to execute a reverse shell, giving them unauthorized control of the routers. In a reverse shell attack, attackers exploit vulnerabilities, connecting victim machines to their server, enabling remote control, data theft, malware deployment, and access to secure networks through command-line instructions, as noted by CheckPoint.

Cyberscoop reports that the vulnerability may be tied to a variant of Mirai, the notorious malware and botnet targeting Internet of Things (IoT) devices. Mirai, first detected in 2016 and originally developed by teenagers to create botnets, remains a dominant threat to IoT devices globally.

Zscaler data shows Mirai accounted for over a third of IoT malware attacks between June 2023 and May 2024, far surpassing other malware families. Additionally, more than 75% of blocked IoT transactions during this period were associated with Mirai’s malicious code, as reported by Cyberscoop.

According to Gov Security Info, Four-Faith was informed of the vulnerability on December 20 under VulnCheck’s responsible disclosure policy. Details about patches or firmware updates are currently unavailable.

Researchers recommend that users of affected router models change default credentials, restrict network exposure, and monitor device activity closely.