Mass Exploitation Alert: Hardcoded Credentials in Four-Faith Industrial Routers (CVE-2024-9643) Hijacked for Botnets

A critical authentication bypass flaw in industrial cellular routers has transitioned into a full-blown mass exploitation campaign, with threat actors rapidly absorbing exposed devices into botnet infrastructure.

Global security networks are sounding the alarm over a sharp escalation in cyberattacks targeting the Four-Faith F3x36 line of industrial cellular routers. The vulnerability, tracked as CVE-2024-9643, carries a critical CVSS severity score of 9.8, and telemetry indicates that attackers are now operationalizing the flaw at scale.

According to a fresh intelligence brief from CrowdSec, the activity has rapidly moved past the point of isolated probing. The security provider recently updated the threat’s status after observing a swarm of unique attacking IP addresses aggressively hunting for the vulnerable edge devices.

“CrowdSec has observed 139 attacking IPs through 18 May, with activity rising enough to move this CVE into the Mass Exploitation phase on 12 May,” the company warns.

The underlying vulnerability represents a classic, systemic failure in hardware security: the presence of hard-coded administrative credentials left directly inside the device’s web management interface.

Because these credentials are universal and unchanging, an attacker does not need to engineer complex exploit chains or trigger memory corruption. Instead, they can gain administrative access simply by sending a specifically structured HTTP request to specific internal management pages, such as /Status_Router.asp.

The barrier to entry for these attacks has plummeted to zero following the public release of automated detection scripts, including a widely distributed Nuclei template. This open-source exploit knowledge allows even low-skilled threat actors to scan the entire internet public space, identify vulnerable systems, and immediately seize administrative control.

Four-Faith F3x36 routers are highly versatile cellular devices deployed globally to provide critical network connectivity for remote utility fields, logistics warehouses, distributed field equipment, and retail branch offices. They are designed to sit quietly on the network edge to keep standard operations online—a characteristic that makes them invisible to busy internal IT teams but highly conspicuous to malicious scanners.

The business pattern uncovered by CrowdSec indicates that attackers are not necessarily looking to steal data from the routers themselves. Rather, they are treating the hardware as a functional launchpad.

“In this case, 76% of observed attacker objectives align with infrastructure takeover, and commerce organizations account for the largest share of impacted environments,” the report states.

By gaining a persistent foothold on an industrial router, an adversary achieves multiple strategic objectives. They sit directly in the middle of the corporate traffic path, can easily pivot laterally into private internal networks that were previously protected, or use the device’s unmonitored processing power to proxy malicious traffic and launch attacks against other high-value targets.

The geographical data surrounding the campaign strongly reinforces that this is an automated, opportunistic sweep rather than a targeted operation by a specific nation-state actor. The attacking IP addresses are broadly distributed across the globe, with heavy infrastructure spikes registered out of the United Kingdom, Germany, the United States, and the Netherlands.

As the CrowdSec report warns: “In plain terms, this is how neglected edge hardware turns into someone else’s botnet.”

With automated scanning platforms actively picking off unpatched hardware, organizations leveraging Four-Faith or adjacent industrial routers cannot afford to delay defensive cycles. Security teams are strongly urged to deploy the following active countermeasures:

• Patch Firmware Immediately: Check with Four-Faith or your direct device supplier to secure and flash the latest patched firmware version.
• Restrict Management Portal Exposure: Ensure that the router’s web interface and administrative portals (such as /Status_Router.asp) are completely blocked from the public internet. Restrict management access exclusively to internal VPN tunnels or isolated administrative subnets.
• Audit Network Traffic: Monitor outbound connections from edge devices for unusual destination anomalies or patterns consistent with DNS and HTTP proxy abuse