Old Routers, New Botnets: Four-Faith Devices Under Active Attack
The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2024-9643, a critical authentication bypass flaw in Four-Faith F3x36 industrial routers.
Key findings
- The vulnerability was published on February 4, 2025. CrowdSec released a detection rule on 15 April 2026, and exploitation was first observed in the wild on 20 April.
- CrowdSec has observed 139 attacking IPs through 18 May, with activity rising enough to move this CVE into the Mass Exploitation phase on 12 May.
- The dominant attacker objective is infrastructure takeover, which fits a familiar pattern: exposed routers get folded into botnets and reused as launchpads for larger campaigns.
What is Four-Faith F3x36?
The Four-Faith F3x36 is an industrial cellular router used to connect remote sites, field equipment, and branch infrastructure. Devices like this often sit in warehouses, retail locations, utility environments, and small distributed offices where they quietly keep operations online.
That also makes them valuable to attackers. A compromised router is not just one more device to own. It sits in the traffic path, can expose internal systems, and can be repurposed as durable attack infrastructure. In plain terms, this is how neglected edge hardware turns into someone else’s botnet.
How does CVE-2024-9643 work?
This vulnerability comes from hard-coded administrative credentials left in the router’s web interface. An attacker who knows those credentials can send crafted HTTP requests to management pages, such as /Status_Router.asp, to gain administrator access without going through normal authentication.
With admin access, an attacker can read sensitive information, change device settings, and take lasting control of the router. Public detection content is already available, including a nuclei template, which lowers the barrier for widespread scanning and automated exploitation.
The issue was documented by Cisco Talos in related debug-credential research, and VulnCheck has also tracked the affected Four-Faith product line. For technical details, see the Talos report, the VulnCheck advisory, and the public nuclei template.
Research credit: Cisco Talos on LinkedIn and X, plus VulnCheck on LinkedIn and X.
Threat Landscape Analysis
CrowdSec telemetry shows this activity moving beyond isolated probing. Exploitation was first observed on April 20 and escalated to the point of being reclassified as Mass Exploitation on May 12, a strong signal that attackers are operationalizing this flaw at scale.
The business pattern is an important part. Router exploitation is rarely the final goal. In this case, 76% of observed attacker objectives align with infrastructure takeover, and commerce organizations account for the largest share of impacted environments. That combination suggests attackers are looking for easy-to-reuse edge devices they can absorb into botnets, proxy traffic through, or use as footholds for the next stage of intrusion.
Geographically, the activity is broad rather than tied to a single region, with notable attacking sources observed from the United Kingdom, Germany, the United States, and the Netherlands. That spread is consistent with automated campaigns rather than a narrowly targeted intrusion set.
How to protect your systems
Patch immediately: If a fixed firmware version is available from Four-Faith or your device supplier, prioritize these routers now. A CVSS score of 9.8 and public exploit knowledge make delay expensive.
CrowdSec Protection:
- Install the CrowdSec Security Engine to detect malicious behavior targeting exposed services and administration interfaces.
- Subscribe to the CrowdSec CTI Blocklists to proactively block IPs associated with exploitation campaigns and botnet-building activity.