CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

Hackers are actively exploiting Four-Faith industrial routers to build botnets, leveraging a critical vulnerability identified as CVE-2024-9643. Security researchers from CrowdSec report a sharp rise in exploitation attempts targeting these devices, signaling a shift from initial probing to large-scale abuse. CVE-2024-9643 is a critical authentication bypass flaw affecting Four-Faith F3x36 industrial cellular routers. The vulnerability […] The post Hackers Hijacking Four-Faith Industrial Routers

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeBotnet Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity By Abinaya May 19, 2026 Hackers are actively exploiting Four-Faith industrial routers to build botnets, leveraging a critical vulnerability identified as CVE-2024-9643. Security researchers from CrowdSec report a sharp rise in exploitation attempts targeting these devices, signaling a shift from initial probing to large-scale abuse. CVE-2024-9643 is a critical authentication bypass flaw affecting Four-Faith F3x36 industrial cellular routers. The vulnerability stems from hard-coded administrative credentials embedded in the device’s web management interface. Attackers can use these credentials to send specially crafted HTTP requests to endpoints such as /Status_Router.asp, gaining full administrative access without proper authentication. With a CVSS score of 9.8, the flaw allows attackers to: Bypass login mechanisms and obtain admin privileges. Modify router configurations and network settings. Extract sensitive operational data. Establish persistent control over the device. Publicly available exploit templates, including a Nuclei detection script, have further simplified automated scanning and exploitation. Exploit timeline (Source: Crowdsec) Four-Faith Routers Targeted by Botnets The vulnerability was disclosed on February 4, 2025, but exploitation in the wild began on April 20, 2026. According to CrowdSec telemetry, at least 139 unique IP addresses have been involved in attacks as of May 18. Due to the rapid increase in activity, the issue was reclassified into the “Mass Exploitation” phase on May 12, 2026. The primary objective observed in 76% of attacks is the takeover of infrastructure. Once compromised, routers are integrated into botnets, allowing threat actors to: Launch distributed denial-of-service (DDoS) attacks. Proxy malicious traffic to hide the attacker’s origins. Use compromised devices as footholds for lateral movement. The campaign is globally distributed, with attack sources identified in the United Kingdom, Germany, the United States, and the Netherlands, indicating automated, large-scale scanning operations. Attack location (Source: Crowdsec) Four-Faith F3x36 routers are widely deployed in industrial and remote environments, including warehouses, retail outlets, utilities, and branch offices. These devices often operate at the network edge and are rarely updated or monitored closely. This makes them ideal targets. A compromised router not only provides persistent access but also allows attackers to intercept traffic and pivot deeper into internal networks. In many cases, these devices become long-term assets in botnet infrastructure due to poor visibility and patching practices. Mitigation and Defense Organizations using Four-Faith routers should take immediate action: Apply vendor- or supplier-provided firmware updates without delay. Restrict access to router management interfaces using firewalls or VPNs. Monitor network traffic for unusual outbound connections or scanning behavior. Deploy threat detection tools such as CrowdSec to identify exploitation attempts. Block known malicious IPs using threat intelligence feeds, such as CrowdSec CTI blocklists. Security researchers, including Cisco Talos and VulnCheck, have previously highlighted the risks posed by hard-coded credentials in network devices, underscoring the importance of secure configuration practices. As attackers continue to weaponize exposed edge devices, unpatched industrial routers remain a high-risk entry point for botnet expansion and broader cyberattacks. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks TeamPCP Hackers Abuse CI/CD Pipelines to Steal Developer and Cloud Credentials Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks Amazon Quick Bug Exposed AI Chat Agents to Users Blocked by Custom Permissions Packagist Urges Immediate Composer Update After GitHub Actions Token Leak Latest News Cyber Security News Critical Apache Flink Vulnerability Enables Remote code execution Attacks Cyber Security News Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup Cyber Security News Attackers Use Cloudflare Storage Endpoint to Exfiltrate Files From Compromised Networks Cyber Security News New VoidStealer Malware Bypasses Chrome’s Protection to Steal User Data Cyber Security News Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗