CVE-2024-9643

CriticalPublic PoC

Published: 04 February 2025

Published

04 February 2025

Modified

19 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2625 96.3th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9643 is a critical-severity Active Debug Code (CWE-489) vulnerability in Four-Faith F3X36 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates proper management of authenticators, prohibiting hard-coded credentials in the administrative web server to prevent authentication bypass.

AC-2 Account Management good match

prevent

AC-2 requires identification, management, and disabling of unnecessary accounts, directly addressing hard-coded administrative accounts that enable unauthorized access.

SC-7 Boundary Protection good match

prevent

SC-7 enforces boundary protection to monitor and control network communications, blocking remote crafted HTTP requests to the vulnerable web server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hard-coded credentials enable direct remote admin access to public-facing web interface (T1190) via default/embedded account abuse (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar…

to CVE-2023-32645.

Deeper analysisAI

CVE-2024-9643 is an authentication bypass vulnerability affecting the Four-Faith F3x36 router running firmware version v2.0.0. The flaw stems from hard-coded credentials within the administrative web server, allowing unauthorized access through crafted HTTP requests. It is classified under CWE-489 and CWE-798, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete compromise.

A remote attacker who knows the hard-coded credentials can exploit this vulnerability over the network with low complexity and no prior privileges or user interaction required. Successful exploitation grants full administrative access to the device, enabling confidentiality, integrity, and availability impacts such as data exfiltration, configuration changes, or denial of service. The issue resembles CVE-2023-32645 in nature.

Advisories from Talos Intelligence (TALOS-2023-1752) and VulnCheck provide further details on the vulnerability, including potential mitigation steps; security practitioners should consult these references for patch availability or workarounds specific to the affected firmware.