CVE-2024-9643
Published: 04 February 2025
Description
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645.
Security Summary
CVE-2024-9643 is an authentication bypass vulnerability affecting the Four-Faith F3x36 router running firmware version v2.0.0. The flaw stems from hard-coded credentials within the administrative web server, allowing unauthorized access through crafted HTTP requests. It is classified under CWE-489 and CWE-798, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete compromise.
A remote attacker who knows the hard-coded credentials can exploit this vulnerability over the network with low complexity and no prior privileges or user interaction required. Successful exploitation grants full administrative access to the device, enabling confidentiality, integrity, and availability impacts such as data exfiltration, configuration changes, or denial of service. The issue resembles CVE-2023-32645 in nature.
Advisories from Talos Intelligence (TALOS-2023-1752) and VulnCheck provide further details on the vulnerability, including potential mitigation steps; security practitioners should consult these references for patch availability or workarounds specific to the affected firmware.
Details
- CWE(s)