CVE-2024-9644

CRITICAL EXPLOITED

Four-faith F3x36 Firmware - Authentication Bypass

Title source: rule

Description

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.

References (1)

[Third Party Advisory] https://vulncheck.com/advisories/four-faith-hidden-api

Scores

CVSS v3 9.8

EPSS 0.0002

EPSS Percentile 6.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-02-09

CWE

CWE-489 CWE-306

Status published

Products (1)

four-faith/f3x36_firmware 2.0

Published Feb 04, 2025

Tracked Since Feb 18, 2026