CVE-2024-9643 & CVE-2024-9644: Authentication Bypass in Four-Faith F3x36 Routers Puts Networks at Risk
do son 
Two newly discovered security vulnerabilities—CVE-2024-9643 and CVE-2024-9644—affecting the Four-Faith F3x36 router (firmware v2.0.0) could allow remote attackers to gain unauthorized administrative access. Both vulnerabilities carry a near-maximum CVSS score of 9.8, indicating their severity and the ease with which they can be exploited.
The first vulnerability, tracked as CVE-2024-9643, stems from the presence of hard-coded credentials within the router’s administrative web server. This flaw allows attackers who know these credentials to bypass authentication and gain complete administrative control simply by sending specially crafted HTTP requests. This flaw is reminiscent of CVE-2023-32645, a similar hard-coded credential issue.
The second flaw, identified as CVE-2024-9644, is another authentication bypass vulnerability, this time residing in the “bapply.cgi” endpoint of the administrative web server. Unlike the standard “apply.cgi” endpoint, “bapply.cgi” apparently lacks proper authentication enforcement for certain administrative functions. This allows a remote, unauthenticated attacker to meddle with router settings or, even more concerning, chain this vulnerability with other existing authenticated vulnerabilities for a critical risk.
Four-Faith routers have been a popular target for cybercriminals, particularly botnet operators. In late December 2024, researchers from Chainxin X Lab observed a rapidly evolving Mirai-based botnet leveraging zero-day exploits against industrial routers and smart home devices. This botnet has been actively targeting Four-Faith routers using CVE-2024-12856, a previously unknown vulnerability.
Given this ongoing trend of exploitation, it is highly likely that CVE-2024-9643 and CVE-2024-9644 will soon be integrated into automated exploit kits and botnets. Attackers have already demonstrated the ability to weaponize zero-day vulnerabilities against these devices, making unpatched routers prime targets.
Users of Four-Faith F3x36 routers are strongly advised to apply the available firmware updates immediately.
