There is a category of vulnerability that security researchers call “trivially exploitable.” CVE-2024-9643, a critical flaw in Four-Faith F3x36 industrial routers, is that category in its purest form. The device ships with hard-coded administrative credentials built directly into the firmware. Any attacker who knows those credentials — and by May 12, 2026, many did — can log into your router, take full administrative control, and do whatever they want with it. No password required. No exploit needed. Just the static username and password that every single F3x36 on the planet shares.

CrowdSec, the threat intelligence firm that tracks this campaign, moved CVE-2024-9643 into the “mass exploitation” category on May 12. By May 18, their sensors had observed 139 distinct attacking IP addresses scanning for and attempting to exploit vulnerable devices. The campaign is active right now.

What Hard-Coded Credentials Actually Mean

The term “hard-coded credentials” sounds technical but the reality is straightforward: the manufacturer embedded a fixed username and password into the device’s firmware that cannot be changed by the user. It’s not a default password you forgot to change. It’s a password that doesn’t appear in any settings menu because it was never intended to be managed by the user at all — it’s baked into the code.

Legitimate uses of hard-coded credentials exist in some contexts — a maintenance backdoor for factory configuration, for instance. But in a router’s web management interface that’s accessible over the network, a shared credential that every unit of a given model shares is not a maintenance tool. It’s an open door.

An attacker who discovers those credentials — through reverse engineering the firmware, finding them in a leaked source code repository, or simply purchasing a device and inspecting it — now has them for every Four-Faith F3x36 router ever manufactured. The vulnerability doesn’t require any user interaction. It doesn’t require tricking someone into clicking a link. It just requires finding a device that has its management interface exposed to the internet and sending it the right HTTP request.

CVE-2024-9643 carries a CVSS score of 9.8 out of 10. It is classified as critical.

The F3x36 and Your Home Network

Four-Faith positions the F3x36 as an industrial cellular router — designed for applications like remote monitoring of utility infrastructure, transportation systems, and commercial facilities. It’s not a router you’re likely to find marketed at Best Buy.

But “industrial” doesn’t mean “not in homes.” Edge devices blur the line. Small business owners use industrial-grade routers because they’re more configurable. Remote workers set up cellular failover devices for reliability. Homeowners in rural areas with poor broadband use cellular routers as their primary connection. And whatever infrastructure is around your neighborhood — a nearby utility, a commercial building, a cell tower with backhaul equipment — may be running devices like this on networks that overlap with or are adjacent to your own.

More directly: once compromised, the F3x36 becomes a launching pad. Attackers who’ve seized control of a router don’t always care much about the original device. What they want is an infected device they can use to attack other things — to route malicious traffic in ways that obscure their origin, to conduct credential-stuffing attacks against banking and email services, or to add the device to a botnet that can be rented out.

The CrowdSec data shows that 76% of observed attacker objectives in this campaign align with “infrastructure takeover” — seizing the device to reuse it for downstream attacks. The attacker isn’t after your specific device. They’re after any device they can absorb.

The Timeline: From Published to Mass Exploitation

CVE-2024-9643 was first published in February 2025. The vulnerability was known. Security researchers documented the hard-coded credential issue and the associated authentication bypass that came with it (a related flaw, CVE-2024-9644, covers a second authentication bypass in the same product line).

For roughly fourteen months, the vulnerability sat in the public CVE database while relatively limited exploitation occurred. Then the dynamics shifted.

CrowdSec released a detection rule for CVE-2024-9643 on April 15, 2026. The first wild exploitation they observed in this campaign occurred on April 20. Through late April and into May, the exploitation remained in a growth phase. Then, on May 12, the campaign crossed the threshold into mass exploitation — the point where automated tooling is broadly scanning the internet for vulnerable devices and successfully compromising them at scale.

This pattern — a long gap between publication and mass exploitation, followed by rapid escalation — is common in IoT vulnerabilities. It often reflects the point at which a reliable exploit module gets incorporated into widely distributed botnet malware or crimeware toolkits, turning what was previously a manual, targeted attack into an automated campaign that anyone can run.

By May 18, 139 unique attacking IP addresses had been observed. That number continues to grow.

What Attackers Are Doing With Compromised Devices

The Four-Faith campaign has been linked to Mirai-based botnets. Mirai is malware that was originally released in 2016 and has since spawned dozens of variants, all sharing the same basic model: infect as many internet-connected devices as possible, particularly routers and cameras, and use them collectively to conduct DDoS attacks or proxy traffic.

Once a Four-Faith router is infected, the device typically gets used for one or more of the following:

DDoS participation. The router becomes part of a botnet that can collectively generate traffic far in excess of what any single machine could produce. These botnets are rented out on darknet markets to clients who want to knock websites or services offline.

Proxy routing. Traffic is routed through the compromised device to disguise the true origin of malicious requests. This is useful for credential-stuffing attacks (trying stolen username-password combinations against banking, email, and streaming sites), bypassing geographic blocks, and evading IP-based security controls.

Network reconnaissance. A router that’s been compromised gives attackers visibility into the network behind it — the devices, the traffic patterns, potentially the credentials being passed across it.

Persistence and pivot. In more targeted attacks, compromising an edge router is step one of a longer campaign. Once inside the network perimeter, attackers look for higher-value targets: servers, file shares, devices that contain sensitive data.

Geographic Distribution and Scale

The attacking IPs observed in this campaign originate from a broad geographic spread, with notable activity sourced from the United Kingdom, Germany, the United States, and the Netherlands. This pattern is consistent with a botnet using already-compromised infrastructure in multiple countries as its attack proxy layer — the devices scanning for vulnerable Four-Faith routers are themselves likely compromised machines, making attribution difficult.

Commerce organizations account for the largest share of impacted environments in this campaign, which tracks with the industrial router’s primary deployment contexts. But the botnet infrastructure built from these compromises has no inherent limit on what it targets next.

What To Do

If you have a Four-Faith F3x36: The hard-coded credentials make patching in the traditional sense insufficient — because the credentials aren’t accessible through the device’s settings interface, user-applied firmware updates may not be enough to remove them. Contact Four-Faith directly for guidance on whether updated firmware addresses the underlying hard-coded credential issue, and in the interim, ensure the device’s management interface is not exposed directly to the internet. Place it behind a firewall and restrict management access to specific, trusted IP addresses.

If you don’t have a Four-Faith F3x36, but have any industrial or business-grade edge router: Audit what management interfaces are exposed. Shodan and similar tools show exactly which devices have web management interfaces accessible from the open internet — if you can see your own device there, attackers can too. Management interfaces should never be internet-accessible without VPN or firewall protection.

If you’re on a home router: Check for firmware updates. The mass exploitation campaign for Four-Faith is specific to that device, but the broader lesson applies across all router hardware: manufacturers regularly release firmware updates that patch known vulnerabilities, and most routers don’t apply these automatically.

Monitor your network traffic. Unusual outbound connections — especially to unfamiliar IP addresses in large volumes, or at unusual hours — can be a sign that a device on your network has been compromised and is being used for botnet activity. Consumer-grade routers don’t always provide good visibility into this, but network monitoring tools like Pi-hole, pfSense, or OPNsense do.

The Four-Faith campaign isn’t a sophisticated, targeted attack. It’s the internet’s equivalent of trying every door on the street. The doors that are left unlocked — or in this case, the ones with the lock combination painted on the side — get opened. The ones with actual barriers don’t.

Hard-coded credentials are an unacceptable design decision in 2026. The fact that a flaw of this severity was published in February 2025 and reached mass exploitation in May 2026 with no evidence of widespread remediation is a reminder that the IoT security problem isn’t primarily about the sophistication of attackers. It’s about manufacturers shipping fundamentally insecure products and the absence of any regulatory floor requiring them to do better.

The Cyber Trust Mark program that the FCC is rebuilding under ioXt Alliance — covered in a separate piece this month — would explicitly prohibit devices with shared default credentials from earning certification. If that program reaches scale, routers like the F3x36 would never make it to market with these flaws intact. But that program is not yet at scale. And the routers are already out there.