CVE-2024-9644
published 2025-02-04CVE-2024-9644: The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.64%
46.1th percentile
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an
authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| four-faith | f3x36 | — | — |
| four-faith | f3x36_firmware | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-54hp-v955-wr4h: The Four-Faith F3x36 router using firmware v2
ghsa_unreviewed·2025-02-04
CVE-2024-9644 [CRITICAL] CWE-306 GHSA-54hp-v955-wr4h: The Four-Faith F3x36 router using firmware v2
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an
authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.
VulnCheck
Four-Faith F3x36 Router bapply.cgi Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-9644 [CRITICAL] Four-Faith F3x36 Router bapply.cgi Authentication Bypass Vulnerability
Four-Faith F3x36 Router bapply.cgi Authentication Bypass Vulnerability
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.
Affected: Four-Faith F3x36 Router
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-09&hos
No detection rules found.
No public exploits indexed.
2025-02-04
Published
Exploited in the wild