A high-severity flaw impacting choose 4-Religion routers has come below lively exploitation within the wild, in line with new findings from VulnCheck.
The vulnerability, tracked as CVE-2024-12856 (CVSS ranking: 7.2), has been described as an working device (OS) command injection malicious program affecting router fashions F3x24 and F3x36.
The severity of the lack is decrease because of the truth that it most effective works if the far flung attacker is in a position to effectively authenticate themselves. Alternatively, if the default credentials related to the routers have no longer been modified, it might lead to unauthenticated OS command execution.
Within the assault detailed via VulnCheck, the unknown danger actors were discovered to leverage the router’s default credentials to cause exploitation of CVE-2024-12856 and release a opposite shell for continual far flung get right of entry to.
The exploitation try originated from the IP deal with 178.215.238[.]91, which has been prior to now utilized in reference to assaults searching for to weaponize CVE-2019-12168, every other far flung code execution flaw affecting 4-Religion routers. In step with danger intelligence company GreyNoise, efforts to take advantage of CVE-2019-12168 were recorded as not too long ago as December 19, 2024.
“The assault can also be carried out towards, a minimum of, the 4-Religion F3x24 and F3x36 over HTTP the use of the /practice.cgi endpoint,” Jacob Baines mentioned in a record. “The techniques are prone to OS command injection within the adj_time_year parameter when editing the tool’s device time by the use of submit_type=adjust_sys_time.”
Information from Censys presentations that there are over 15,000 internet-facing units. There may be some proof suggesting that assaults exploiting the flaw can have been ongoing since a minimum of early November 2024.
There may be recently no details about the provision of patches, despite the fact that VulnCheck said that it responsibly reported the flaw to the Chinese language corporate on December 20, 2024. The Hacker Information has reached out to 4-Religion for remark previous to the e-newsletter of this tale and can replace the piece if we listen again.