CVE-2024-9643
published 2025-02-04CVE-2024-9643: The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.96%
85.5th percentile
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| four-faith | f3x36_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherZmZhZG1pbjpmZmFkbWluZmY=
url/Status_Router.asp
otherhttpd_four-faith
- →Detect exploitation attempts by looking for HTTP GET requests to /Status_Router.asp with a Base64-encoded Authorization header matching the hard-coded credential ZmZhZG1pbjpmZmFkbWluZmY= (ffadmin:ffadminfff decoded).
- →Identify Four-Faith F3x36 devices on the network by matching the Server header value 'httpd_four-faith' in HTTP responses.
- →Use Shodan query 'Four-Faith' or FOFA query body='Four-Faith' to enumerate exposed Four-Faith F3x36 devices potentially vulnerable to this authentication bypass.
- →A successful exploit results in HTTP 200 response to /Status_Router.asp with body containing both 'Four-Faith' and 'Status' strings, indicating administrative access was granted.
- ·The hard-coded credential is embedded in firmware v2.0.0 only; other firmware versions may not be affected. ↗
- ·This issue is noted as similar to CVE-2023-32645, suggesting a pattern of hard-coded credential reuse across Four-Faith product lines; detection rules should be evaluated against related models. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhhq-87cf-828w: The Four-Faith F3x36 router using firmware v2
ghsa_unreviewed·2025-02-04·CVSS 9.8
CVE-2024-9643 [CRITICAL] CWE-489 GHSA-fhhq-87cf-828w: The Four-Faith F3x36 router using firmware v2
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645.
VulnCheck
Four-Faith f3x36_firmware Active Debug Code
vulncheck·2024·CVSS 9.8
CVE-2024-9643 [CRITICAL] Four-Faith f3x36_firmware Active Debug Code
Four-Faith f3x36_firmware Active Debug Code
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645.
Affected: Four-Faith f3x36_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-9643&date=2025-10-13; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-9643&date=2025-10-14; https://api.vulncheck.com/v3/index/vulncheck-canaries?
Suricata
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)
suricata·2024-09-18·CVSS 9.8
CVE-2024-4883 [CRITICAL] ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)
ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)
Rule: alert tcp any any -> $HOME_NET 9643 (msg:"ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth WriteDataFile Directory Traversal RCE (CVE-2024-4883)"; flow:established,to_server; content:"|00|W|00|h|00|a|00|t|00|s|00|U|00|p|00 5c 00|h|00|t|00|m|00|l|00 5c 00|N|00|m|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00 5c 00|"; fast_pattern; pcre:"/^(?:[\x20-\x7e]\x00)+\x2e\x00a\x00s\x00p\x00x\x00/Ri"; reference:url,summoning.team/blog/progress-whatsup-gold-writedatafile-cve-2024-4883-rce/; reference:cve,2024-4883; classtype:web-application-activity; sid:2055953; rev:1; metadata:affected_product WhatsUp_Gold, created_at 2024_09_18, cve CVE_2024_4883, deployment Perimeter, deployment Internal, con
Nuclei
Four-Faith F3x36 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-9643 [CRITICAL] Four-Faith F3x36 - Authentication Bypass
Four-Faith F3x36 - Authentication Bypass
Four-Faith F3x36 router with firmware v2.0.0 contains an authentication bypass caused by hard-coded credentials in the administrative web server, letting attackers with knowledge of credentials gain administrative access via crafted HTTP requests.
Template:
id: CVE-2024-9643
info:
name: Four-Faith F3x36 - Authentication Bypass
author: trader642
severity: critical
description: |
Four-Faith F3x36 router with firmware v2.0.0 contains an authentication bypass caused by hard-coded credentials in the administrative web server, letting attackers with knowledge of credentials gain administrative access via crafted HTTP requests.
impact: |
Attackers can gain unauthorized administrative access, potentially leading to full control over the device.
remediat
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-02-04
Published
Exploited in the wild