Threat actors are actively exploiting a critical authentication bypass flaw in Four-Faith F3x36 industrial cellular routers, with security researchers warning that the attacks have escalated into large-scale botnet activity. According to new CrowdSec telemetry, exploitation attempts tied to CVE-2024-9643 surged in recent weeks, prompting the company to classify the activity as ‘mass exploitation’ on May 12. The vulnerability, which carries a CVSS severity score of 9.8, allows attackers to gain administrator access through hard-coded credentials embedded in the router’s web interface.
The compromised routers are commonly deployed in industrial and remote environments, including utilities, warehouses, retail sites, and branch infrastructure, making them attractive footholds for cybercriminal operations.
“76% of observed attacker objectives align with infrastructure takeover, and commerce organizations account for the largest share of impacted environments,” Matthieu Mazzolini wrote in a CrowdSec post published this week. “That combination suggests attackers are looking for easy-to-reuse edge devices they can absorb into botnets, proxy traffic through, or use as footholds for the next stage of intrusion.”
Geographically, he observed that the activity is broad rather than tied to a single region, with notable attacking sources observed from the U.K., Germany, the U.S., and the Netherlands. “That spread is consistent with automated campaigns rather than a narrowly targeted intrusion set.”
Four-Faith F3x36 industrial cellular routers are used to connect remote sites, field equipment, and branch infrastructure. Devices like this often sit in warehouses, retail locations, utility environments, and small distributed offices where they quietly keep operations online, thus making them valuable to attackers.
Recognizing that a compromised router is not just one more device to own, CrowdSec researchers observed that it sits in the traffic path, can expose internal systems, and can be repurposed as durable attack infrastructure. “In plain terms, this is how neglected edge hardware turns into someone else’s botnet.”
The post mentioned that the vulnerability comes from hard-coded administrative credentials left in the router’s web interface. “An attacker who knows those credentials can send crafted HTTP requests to management pages, such as /Status_Router.asp, to gain administrator access without going through normal authentication.”
It added that with admin access, an attacker can read sensitive information, change device settings, and take lasting control of the router. Public detection content is already available, including a nuclei template, which lowers the barrier for widespread scanning and automated exploitation.
The issue was documented by Cisco Talos in related debug-credential research, and VulnCheck has also tracked the affected Four-Faith product line. Talos detailed that a leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0_20221108. Furthermore, a specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.
CrowdSec wrote that while the business pattern is an important part, router exploitation is rarely the final goal. “In this case, 76% of observed attacker objectives align with infrastructure takeover, and commerce organizations account for the largest share of impacted environments. That combination suggests attackers are looking for easy-to-reuse edge devices they can absorb into botnets, proxy traffic through, or use as footholds for the next stage of intrusion.”
Organizations should immediately patch affected Four-Faith routers if a fixed firmware version is available from Four-Faith or the device supplier. With a CVSS severity score of 9.8 and public exploit knowledge already circulating, delaying remediation significantly increases the risk of compromise.
