Hackers are exploiting Four-Faith industrial routers for botnet activity

Hackers are actively exploiting Four-Faith F3x36 industrial routers by abusing CVE-2024-9643, a critical authentication bypass vulnerability tied to hard-coded administrative credentials.

The flaw affects Four-Faith F3x36 routers running firmware v2.0.0. Attackers who know the embedded credentials can send crafted HTTP requests to the router’s web management interface and gain administrator access without normal login checks.

CrowdSec says exploitation has moved beyond simple scanning and into mass exploitation. The company observed 139 attacking IP addresses through May 18, 2026, and moved the vulnerability into its mass exploitation phase on May 12.

What is CVE-2024-9643?

CVE-2024-9643 is a critical vulnerability in the administrative web server of Four-Faith F3x36 industrial cellular routers. The issue comes from hard-coded credentials left inside the device’s management interface.

The vulnerability has a CVSS 3.1 score of 9.8, which places it in the critical severity range. The risk is high because the attack can work remotely, does not require prior authentication, and can give attackers full administrative control.

Once attackers reach the management interface, they can target pages such as /Status_Router.asp. Public detection templates also make it easier for attackers and defenders to identify exposed devices at scale.

Detail	Information
CVE	CVE-2024-9643
Affected product	Four-Faith F3x36 router
Affected firmware	Firmware v2.0.0
Vulnerability type	Authentication bypass through hard-coded credentials
Severity	Critical, CVSS 9.8
Main risk	Remote administrative access and device takeover

Why attackers want these routers

Four-Faith F3x36 routers are used in industrial, remote, and distributed environments. They often connect warehouses, retail locations, utility sites, field equipment, and branch offices to the internet or private networks.

That makes them attractive botnet targets. Many edge devices stay online for long periods, receive fewer updates than standard computers, and often sit outside normal endpoint monitoring.

Once attackers compromise one of these routers, they can use it as part of a wider botnet. They may also use it to proxy traffic, hide malicious activity, or maintain access close to internal systems.

How the attacks are unfolding

CrowdSec reported that the vulnerability was published on February 4, 2025. The company added a detection rule on April 15, 2026, then observed exploitation in the wild beginning on April 20.

The rise in activity led CrowdSec to classify the issue as mass exploitation on May 12, 2026. The main attacker objective observed in the campaign is infrastructure takeover.

This pattern matches previous attacks against exposed routers and IoT devices. Attackers scan the internet for vulnerable hardware, compromise devices with repeatable exploits, and reuse the devices for large-scale malicious operations.

• Attackers can gain administrator access to exposed router interfaces.
• They can change router settings and maintain control over the device.
• Compromised routers can support DDoS activity or malicious proxying.
• Industrial and remote sites face extra risk because these devices may receive less monitoring.
• Public templates can speed up automated scanning and exploitation.

Botnet activity raises the risk

The main concern is not only unauthorized access to one router. A vulnerable router can become part of a botnet that attackers control remotely.

Botnets built from edge devices can help attackers launch distributed denial-of-service attacks, route malicious traffic through trusted-looking networks, or create a hidden layer of infrastructure for later campaigns.

Routers also sit at important network positions. If attackers gain full control, they may inspect traffic, change DNS or routing behavior, or use the device as a stepping stone into nearby systems.

Who should take action

Any organization using Four-Faith F3x36 routers should check firmware versions and management exposure immediately. Devices running firmware v2.0.0 need urgent review because this is the version listed as affected in public vulnerability records.

Companies should pay special attention to routers exposed directly to the internet. Remote management interfaces should not remain publicly reachable unless strict controls protect them.

Industrial operators, retailers, utilities, logistics companies, and branch-heavy businesses may face higher exposure because they often rely on cellular routers in remote sites.

Risk area	Why it matters
Internet-exposed management pages	Attackers can scan and target exposed router interfaces remotely.
Outdated firmware	Older firmware may contain known flaws and unsafe default behavior.
Low visibility at remote sites	Compromised routers may stay unnoticed for long periods.
Botnet reuse	Attackers can use routers for DDoS attacks, proxying, or follow-on activity.

How to reduce the risk

The first step is to identify all Four-Faith F3x36 routers in use. Teams should confirm firmware versions, check whether management interfaces face the internet, and review logs for suspicious access attempts.

Organizations should apply vendor or supplier firmware updates where available. They should also place router management interfaces behind VPNs, firewalls, or trusted administrative networks.

Security teams should monitor outbound traffic from these routers. Unusual connections, scanning behavior, or traffic spikes can indicate compromise or attempted botnet enrollment.

1. Inventory all Four-Faith F3x36 routers across remote and branch sites.
2. Check whether any device runs firmware v2.0.0.
3. Apply available firmware updates from the vendor or approved supplier.
4. Block public access to web management interfaces.
5. Restrict administration to VPNs or trusted IP addresses.
6. Review router logs for unusual login attempts and configuration changes.
7. Monitor outbound connections for botnet-like behavior.
8. Replace devices that cannot be updated or securely managed.

Why edge devices remain a weak point

Router vulnerabilities continue to attract attackers because edge devices combine internet exposure with long operating lifecycles. Many organizations patch servers and laptops faster than routers in warehouses, stores, and field locations.

CVE-2024-9643 shows how a single hard-coded credential issue can become a larger botnet problem once public exploit details and scanning templates become available.

For defenders, the priority is simple. Find exposed Four-Faith routers, patch or isolate them, and treat suspicious devices as potential footholds rather than ordinary network appliances.

FAQ