CVE-2024-9643 – The Four-Faith F3x36 router firmware v2.0.0 con... (How to Fix)

📋 TL;DR

The Four-Faith F3x36 router firmware v2.0.0 contains hard-coded administrative credentials, allowing attackers to bypass authentication and gain full administrative control. This affects all organizations using these routers with the vulnerable firmware version. The vulnerability is similar to previously reported issues in similar devices.

💻 Affected Systems

Products:

Four-Faith F3x36 router

Versions: Firmware v2.0.0

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the specified firmware version are vulnerable regardless of configuration.

📦 What is this software?

F3x36 Firmware by Four Faith

View all CVEs affecting F3x36 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise: attacker gains administrative router access, can intercept/modify all traffic, deploy malware, pivot to internal networks, and disable security controls.

🟠

Likely Case

Unauthorized administrative access leading to network reconnaissance, traffic interception, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound rules and network segmentation prevents lateral movement from router compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with known credentials; similar to CVE-2023-32645 exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact Four-Faith for updated firmware
2. If available, download and install patched firmware
3. Verify credentials have been removed/changed

🔧 Temporary Workarounds

Network Access Control

linux

Restrict administrative interface access to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Change Default Credentials

all

Change administrative credentials if possible (though hard-coded credentials may persist)

🧯 If You Can't Patch

Isolate vulnerable routers in separate network segments with strict firewall rules
Monitor router administrative interfaces for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access administrative interface using known hard-coded credentials via HTTP requests

Check Version:

Check router web interface or console for firmware version information

Verify Fix Applied:

Verify that hard-coded credentials no longer work and that new credentials are required

📡 Detection & Monitoring

Log Indicators:

Successful administrative login from unexpected IP addresses
Multiple failed login attempts followed by success

Network Indicators:

HTTP requests to administrative interface from external IPs
Unusual administrative traffic patterns

SIEM Query:

source_ip=EXTERNAL AND (url_path CONTAINS "/admin" OR url_path CONTAINS "/login") AND response_code=200

📊 Metadata

CVE ID: CVE-2024-9643

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-489

EPSS Score: 0.14% exploit probability (34.1th percentile)

Published: February 4, 2025

Last Updated: September 19, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1752 Not Applicable
https://vulncheck.com/advisories/four-faith-hard-coded-creds Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1752 Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9643, you might also want to check these: