← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2024-9643 · CWE-489 · Disclosed 2025-02-04

The Four-Faith F3x36 router using firmware v2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a master key left under the doormat of a small but very exposed building

CVE-2024-9643 is an authentication bypass in the Four-Faith F3x36 administrative web server caused by hard-coded debug credentials. The affected target is tightly scoped: Four-Faith F3x36 routers running firmware v2.0.0. Cisco Talos documented the underlying pattern in a related codebase: the web server accepts a fixed Basic Auth pair (ffadmin:ffadminff), which turns an ordinary admin page request into a full administrative session.

The vendor/CNA 9.8 CRITICAL score is technically defensible in a vacuum because exploitation is remote, unauthenticated, and lands on the management plane of an edge router. In the real world, I would downgrade one notch to HIGH because the exposure population is narrow: one industrial router family, one firmware line, and a niche enterprise footprint. That said, the downgrade is modest because this is still an internet-weaponizable edge-device bug, public detection content exists, and CrowdSec reported active exploitation beginning April 20, 2026 with mass exploitation by May 12, 2026.

"Unauth admin on an internet-facing router is ugly, but the narrow product/firmware scope keeps this below fleet-wide CRITICAL."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find exposed F3x36 web interfaces

Attackers use internet-wide discovery tooling such as Censys, Shodan, or FOFA-style queries to locate Four-Faith administrative interfaces reachable over HTTP. VulnCheck reported roughly 15,000 internet-facing devices for the broader F3x24/F3x36 family in related exploitation research; that is not a CVE-2024-9643-specific count, but it is a strong proxy for reachable attack surface.
Conditions required:
  • The router management UI is reachable from the internet or an untrusted network
  • The device belongs to the F3x36 family and is on vulnerable firmware
Where this breaks in practice:
  • Many enterprises never expose router admin HTTP directly
  • Asset inventories often hide these devices behind carriers, NAT, or private APNs
  • The exposure estimate is for the product family, not this exact vulnerable build
Detection/coverage: External ASM platforms can often see the device banner or web interface, but version certainty is weak without deeper fingerprinting.
STEP 02

Validate the hard-coded credential path with curl or a nuclei template

The attacker sends a benign GET to an admin resource such as /Status_Router.asp with Basic Auth using the known debug credential pair. Cisco Talos showed the equivalent pattern in the related Yifan code path, and ProjectDiscovery later shipped a public nuclei check for CVE-2024-9643, which lowers the operator skill required for mass scanning.
Conditions required:
  • The management endpoint must respond over HTTP
  • The firmware must still honor the embedded debug credential logic
Where this breaks in practice:
  • Admin UI may be IP-restricted, VPN-only, or firewalled
  • Some field deployments may have upstream ACLs that block direct access
  • Safe scanners can prove auth bypass, but not always identify exact firmware with certainty
Detection/coverage: Network telemetry can catch repeated GETs to admin pages and unusual Basic Auth attempts. IDS/WAF signatures are feasible because the path and auth pattern are stable.
STEP 03

Take administrative control of the router

Once authenticated with the fixed credential, the attacker lands in the administrative plane and can read configuration, change settings, alter routing, or establish persistent access. On an industrial cellular router, that often means ownership of the communications chokepoint rather than just one app process.
Conditions required:
  • Successful use of the hard-coded credential
  • Administrative functionality exposed through the web server
Where this breaks in practice:
  • Blast radius is usually one device/site at a time
  • Some environments segment OT data paths enough that router compromise does not equal domain compromise
Detection/coverage: Router logs may record config changes, but edge devices often have weak retention. EDR typically has no coverage on this class of appliance.
STEP 04

Optionally chain into command execution or botnet use

Admin access can be used directly for infrastructure takeover, or chained with related management flaws such as CVE-2024-12856 on the same product family to reach OS command execution. CrowdSec's May 18, 2026 reporting says attackers are already using CVE-2024-9643 for botnet-oriented infrastructure takeover, which is exactly what you'd expect from exposed router admin compromise.
Conditions required:
  • Attacker wants persistence, proxying, or follow-on execution
  • Related vulnerable functionality is present and reachable
Where this breaks in practice:
  • Chaining to code execution is a separate vulnerability, not guaranteed by CVE-2024-9643 alone
  • Not every compromised router provides useful east-west reach into the enterprise
Detection/coverage: Watch for config drift, unusual outbound sessions, DNS changes, and HTTP POSTs to management CGI endpoints. Scanner coverage is better for the auth bypass than for post-compromise behavior.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusYes, active exploitation evidence exists now. CrowdSec reported exploitation first observed on 2026-04-20 and reclassified to Mass Exploitation on 2026-05-12.
KEV statusNot in CISA KEV as checked against the public catalog URL, even though CrowdSec now reports active abuse.
Proof-of-concept availabilityPublic and low-friction. Cisco Talos published request-level proof for the related leftover debug credential logic, and ProjectDiscovery release notes show a public nuclei template for CVE-2024-9643.
EPSS0.1585 from the user-supplied intel block. Treat as a supporting signal, not the deciding one; current exploitation telemetry matters more here.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — pure remote unauthenticated compromise of the management plane, which is why the baseline starts very high.
Affected versionsFour-Faith F3x36 firmware v2.0.0. I found no authoritative evidence broadening this CVE beyond that version.
Fixed versionNo vendor-confirmed fixed firmware identified in the sources reviewed. Four-Faith exposes product and download pages, but I did not find a CVE-specific patch advisory or a named remediating version.
Exposure dataMaterial edge exposure is plausible. VulnCheck reported about 15,000 internet-facing F3x24/F3x36 devices in research on the related CVE-2024-12856. That number is for the broader product family, so treat it as an exposure proxy, not a precise vulnerable count for CVE-2024-9643.
Disclosure date2025-02-04 in NVD/OpenCVE metadata.
Reporting researcher / orgJacob Baines / VulnCheck is credited by the advisory; Cisco Talos / Francesco Benvenuto documented the underlying leftover debug credential pattern in the related TALOS-2023-1752 research.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (8.7/10)

The single biggest downward pressure is population narrowing: this is a niche industrial router family with a currently evidenced vulnerable build of firmware v2.0.0, not a broadly deployed enterprise platform. It stays HIGH because the attacker position is still unauthenticated remote, the target sits on the network edge, and there is now concrete exploitation telemetry showing botnet-driven operationalization.

HIGH Exploitability of exposed vulnerable devices
MEDIUM True enterprise-wide exposure prevalence
MEDIUM Availability of a vendor patch

Why this verdict

  • Start at 9.8: vendor scoring is reasonable because this is remote, unauthenticated admin compromise of an edge router.
  • Adjust down for product narrowness: affected scope is one industrial router line and a specifically cited firmware build, which sharply limits the reachable population compared with Exchange, PAN-OS, or Ivanti-class fleet issues.
  • Adjust down for blast radius per event: a compromise usually burns one router/site at a time; the impact is severe locally but not inherently domain-wide without additional pivot paths.
  • Adjust back up for attacker position: no auth, no user interaction, and no prior foothold are required if the management UI is exposed.
  • Adjust back up for current threat reality: CrowdSec reported active exploitation beginning 2026-04-20 and mass exploitation on 2026-05-12, which removes any 'theoretical only' comfort.

Why not higher?

I am not calling this CRITICAL because the real-world victim population is constrained by product, firmware, and deployment model. Most enterprises do not run large fleets of Four-Faith F3x36 routers, and many that do will keep management access behind carrier/private network controls or VPNs. That narrowing matters.

Why not lower?

I am not pushing this to MEDIUM because the exploit chain does not require prior compromise, credentials, or user interaction once the interface is reachable. On an exposed device, this is direct admin takeover of an edge communications node, and active abuse is already documented.

05 · Compensating Control

What to do — in priority order.

  1. Block internet access to the admin UI — Remove HTTP/HTTPS management exposure from the public internet and untrusted WAN segments. For a HIGH verdict, deploy this compensating control within 30 days; because there is active exploitation evidence, treat it as immediate, within hours in practice.
  2. Restrict management to a VPN or jump host — Force administration through a private APN, site-to-site VPN, or bastion with source-IP allowlisting so the hard-coded credential path is not reachable by arbitrary scanners. Implement within 30 days, or within hours if the device is currently internet-facing.
  3. Segment the router from critical OT and IT zones — Assume a compromised router becomes an adversary-controlled pivot and proxy. Apply ACLs so the device can reach only required upstream services and cannot freely initiate east-west traffic; for HIGH, complete within 30 days.
  4. Monitor for admin-page probes and config drift — Alert on requests to admin resources such as /Status_Router.asp, unexpected Basic Auth attempts, DNS changes, route changes, and unexplained outbound beaconing. Detection content should be enabled immediately if patching is delayed.
  5. Inventory firmware precisely — Confirm which F3x36 assets are actually on v2.0.0 and prioritize only the genuinely exposed subset. Do this within 30 days, but front-load internet-facing devices first because scope clarity directly reduces risk.
What doesn't work
  • Relying on changed admin passwords alone doesn't help if the hard-coded debug credential is still accepted by the web server.
  • EDR is mostly irrelevant on an appliance router; there is usually no agent coverage on the device itself.
  • Generic user-awareness or phishing controls do nothing here because exploitation is direct network access to the management interface.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump host that can reach the router over HTTP/HTTPS; it does not need shell access on the device. Invoke it as ./check_cve_2024_9643.sh http://192.0.2.10 or ./check_cve_2024_9643.sh https://router.example.com; no special privileges are required beyond network reachability.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# Check for CVE-2024-9643 on Four-Faith F3x36 routers
# Usage: ./check_cve_2024_9643.sh http://HOST[:PORT]
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -u

TARGET="${1:-}"
PATH_CHECK="/Status_Router.asp"
AUTH_HEADER="Authorization: Basic ZmZhZG1pbjpmZmFkbWluZmY="
TIMEOUT=10

if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN: usage: $0 http://HOST[:PORT]"
  exit 2
fi

# Trim trailing slash if present
TARGET="${TARGET%/}"
URL="${TARGET}${PATH_CHECK}"

fetch_headers() {
  local extra_header="$1"
  if [[ -n "$extra_header" ]]; then
    curl -k -sS -I --max-time "$TIMEOUT" -H "$extra_header" "$URL"
  else
    curl -k -sS -I --max-time "$TIMEOUT" "$URL"
  fi
}

fetch_body() {
  local extra_header="$1"
  if [[ -n "$extra_header" ]]; then
    curl -k -sS --max-time "$TIMEOUT" -H "$extra_header" "$URL"
  else
    curl -k -sS --max-time "$TIMEOUT" "$URL"
  fi
}

noauth_headers="$(fetch_headers "" 2>/dev/null)" || {
  echo "UNKNOWN: target unreachable or HTTP error"
  exit 2
}

auth_headers="$(fetch_headers "$AUTH_HEADER" 2>/dev/null)" || {
  echo "UNKNOWN: authenticated probe failed"
  exit 2
}

auth_body="$(fetch_body "$AUTH_HEADER" 2>/dev/null | head -c 4096)" || {
  echo "UNKNOWN: could not retrieve response body"
  exit 2
}

noauth_code="$(printf '%s' "$noauth_headers" | awk 'toupper($1) ~ /^HTTP\// {print $2; exit}')"
auth_code="$(printf '%s' "$auth_headers" | awk 'toupper($1) ~ /^HTTP\// {print $2; exit}')"

# Heuristics:
# - unauthenticated request usually returns 401/403 on protected admin page
# - vulnerable target accepts fixed debug Basic Auth and returns 200 + HTML that is not Unauthorized page
if [[ "$auth_code" == "200" ]]; then
  if printf '%s' "$auth_body" | grep -qiE '401 Unauthorized|The resource is `Unauthorized`|<TITLE>401 Unauthorized</TITLE>'; then
    echo "PATCHED"
    exit 0
  fi

  if printf '%s' "$auth_body" | grep -qiE '<html|<!DOCTYPE html|XHTML'; then
    echo "VULNERABLE"
    exit 1
  fi
fi

if [[ "$auth_code" == "401" || "$auth_code" == "403" ]]; then
  echo "PATCHED"
  exit 0
fi

if [[ "$noauth_code" == "401" || "$noauth_code" == "403" ]]; then
  echo "UNKNOWN: target appears protected, but hard-coded credential acceptance was not confirmed"
  exit 2
fi

echo "UNKNOWN: inconclusive response (noauth=$noauth_code auth=$auth_code)"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: identify every Four-Faith F3x36 in your environment, verify whether any are on firmware v2.0.0, and immediately isolate any internet-reachable management interface behind VPN-only or source-IP-restricted access. Because exploitation evidence now exists, do not lean on the normal noisgate mitigation SLA for HIGH; patch / mitigate immediately, within hours if exposed. For formal planning, the reassessed HIGH bucket means noisgate remediation SLA of ≤180 days, but if no vendor-fixed firmware is available, document that exception and keep the compensating controls in place continuously until replacement or a verified patched build is deployed.

Sources

  1. NVD CVE-2024-9643
  2. VulnCheck advisory: Four-Faith Hard-coded Credentials
  3. Cisco Talos TALOS-2023-1752 related debug credential research
  4. CrowdSec report: CVE-2024-9643 active exploitation
  5. ProjectDiscovery nuclei-templates release notes
  6. VulnCheck blog: Four-Faith industrial router CVE-2024-12856 exploited in the wild
  7. Four-Faith F3x36 product page
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.