Hackers are actively exploiting Four-Faith industrial routers to build botnets, leveraging a critical vulnerability identified as CVE-2024-9643.
Security researchers from CrowdSec report a sharp rise in exploitation attempts targeting these devices, signaling a shift from initial probing to large-scale abuse.
CVE-2024-9643 is a critical authentication bypass flaw affecting Four-Faith F3x36 industrial cellular routers.
The vulnerability stems from hard-coded administrative credentials embedded in the device’s web management interface.
Attackers can use these credentials to send specially crafted HTTP requests to endpoints such as /Status_Router.asp, gaining full administrative access without proper authentication.
With a CVSS score of 9.8, the flaw allows attackers to:
- Bypass login mechanisms and obtain admin privileges.
- Modify router configurations and network settings.
- Extract sensitive operational data.
- Establish persistent control over the device.
Publicly available exploit templates, including a Nuclei detection script, have further simplified automated scanning and exploitation.
Four-Faith Routers Targeted by Botnets
The vulnerability was disclosed on February 4, 2025, but exploitation in the wild began on April 20, 2026.
According to CrowdSec telemetry, at least 139 unique IP addresses have been involved in attacks as of May 18.
Due to the rapid increase in activity, the issue was reclassified into the “Mass Exploitation” phase on May 12, 2026.
The primary objective observed in 76% of attacks is the takeover of infrastructure. Once compromised, routers are integrated into botnets, allowing threat actors to:
- Launch distributed denial-of-service (DDoS) attacks.
- Proxy malicious traffic to hide the attacker’s origins.
- Use compromised devices as footholds for lateral movement.
The campaign is globally distributed, with attack sources identified in the United Kingdom, Germany, the United States, and the Netherlands, indicating automated, large-scale scanning operations.
Four-Faith F3x36 routers are widely deployed in industrial and remote environments, including warehouses, retail outlets, utilities, and branch offices.
These devices often operate at the network edge and are rarely updated or monitored closely.
This makes them ideal targets. A compromised router not only provides persistent access but also allows attackers to intercept traffic and pivot deeper into internal networks.
In many cases, these devices become long-term assets in botnet infrastructure due to poor visibility and patching practices.
Mitigation and Defense
Organizations using Four-Faith routers should take immediate action:
- Apply vendor- or supplier-provided firmware updates without delay.
- Restrict access to router management interfaces using firewalls or VPNs.
- Monitor network traffic for unusual outbound connections or scanning behavior.
- Deploy threat detection tools such as CrowdSec to identify exploitation attempts.
- Block known malicious IPs using threat intelligence feeds, such as CrowdSec CTI blocklists.
Security researchers, including Cisco Talos and VulnCheck, have previously highlighted the risks posed by hard-coded credentials in network devices, underscoring the importance of secure configuration practices.
As attackers continue to weaponize exposed edge devices, unpatched industrial routers remain a high-risk entry point for botnet expansion and broader cyberattacks.
