Main Vulnerability Database Vulnerabilities #VU132040

Missing Authentication for Critical Function in F3x36 - CVE-2024-9644

Published: May 21, 2026

Vulnerability identifier: #VU132040

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-9644

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Four-Faith

Affected software:
F3x36

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authentication check in the administrative web server. A remote attacker can use the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint to modify device settings, which can lead to remote code execution when chained with another vulnerability.

How to mitigate CVE-2024-9644

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://vulncheck.com/advisories/four-faith-hidden-api

Missing Authentication for Critical Function in F3x36 - CVE-2024-9644

Detailed vulnerability description

How to mitigate CVE-2024-9644

Sources

Please verify you're human