CVE-2024-9644 | THREATINT

Description

The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities.

PUBLISHED Reserved 2024-10-08 | Published 2025-02-04 | Updated 2025-11-19 | Assigner VulnCheck

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-489 Active Debug Code

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

2.0.0 (semver)

affected

Credits

Jacob Baines finder

References

vulncheck.com/advisories/four-faith-hidden-api third-party-advisory

cve.org (CVE-2024-9644)

nvd.nist.gov (CVE-2024-9644)

Download JSON