CVE-2024-9644

CriticalPublic PoC

Published: 04 February 2025

Published

04 February 2025

Modified

19 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.

Security Summary

CVE-2024-9644 is an authentication bypass vulnerability affecting the Four-Faith F3x36 router running firmware version 2.0.0. The flaw exists in the administrative web server, where authentication is not enforced for certain administrative functions when using the "bapply.cgi" endpoint instead of the standard "apply.cgi" endpoint. This issue, linked to CWE-306 and CWE-489, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-04.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to modify router settings arbitrarily. The vulnerability can also be chained with existing authenticated vulnerabilities to amplify impact.

The vulncheck advisory at https://vulncheck.com/advisories/four-faith-hidden-api provides further details on the issue, including potential mitigation steps.

Details

CWE(s): CWE-306CWE-489

Affected Products

four-faith

f3x36 firmware

2.0

References

https://vulncheck.com/advisories/four-faith-hidden-api
Third Party Advisory · disclosure@vulncheck.com