CVE-2024-9644
CRITICAL EXPLOITEDFour-Faith F3x36 Firmware v2.0.0 - Authentication Bypass via bapply.cgi Endpoint
Title source: llmExploitation Summary
CVE-2024-9644 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.
References (1)
Core 1
Core References
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/four-faith-hidden-api
Scores
CVSS v3
9.8
EPSS
0.0064
EPSS Percentile
45.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2025-02-09
CWE
CWE-489
CWE-306
Status
published
Products (1)
four-faith/f3x36_firmware
2.0
Published
Feb 04, 2025
Tracked Since
Feb 18, 2026