CVE-2024-9644

Name of the Vulnerable Software and Affected Versions Four-Faith F3x36 router version 2.0.0

Description The issue concerns an authentication bypass in the administrative web server of the Four-Faith F3x36 router. Specifically, authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. This allows a remote and unauthenticated user to modify settings or chain with existing authenticated vulnerabilities.

Recommendations For Four-Faith F3x36 router version 2.0.0, consider disabling access to the "bapply.cgi" endpoint until a patch is available to prevent unauthorized modifications to settings. Restrict access to administrative functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.