Massive Exploitation Campaign Underway
Security researchers have detected a significant surge in attacks targeting Four-Faith F3x36 industrial cellular routers. The exploitation leverages a critical authentication bypass flaw that allows attackers to gain full administrative control over these devices. CrowdSec telemetry indicates that exploitation began in late April 2026 and has rapidly escalated, with at least 139 unique attacker IPs observed as of mid-May. The activity was reclassified as mass exploitation, signaling a coordinated, automated campaign.
The vulnerability is rooted in hardcoded administrative credentials embedded in the routers’ web management interface. Attackers send specially crafted HTTP requests to specific endpoints, bypassing login mechanisms entirely. This grants them the ability to modify configurations, extract sensitive data, and establish persistent control. Publicly available exploit tools have further lowered the barrier for attackers.
Impact on Botnet Infrastructure
Analysis shows that 76% of these attacks aim to hijack routers for inclusion into botnets. Once compromised, these devices are used to launch distributed denial of service attacks, proxy malicious traffic to obscure attacker origins, and serve as footholds for lateral movement into network environments. The campaign exhibits a global footprint, with attack sources traced to the United Kingdom, Germany, the United States, and the Netherlands, indicating automated, widespread scanning.
Four-Faith F3x36 routers are commonly deployed in industrial and edge environments such as warehouses, utilities, and branch offices. These devices often operate with minimal oversight and are rarely patched, making them exceptionally vulnerable. A compromised router not only provides persistent access but also allows attackers to intercept traffic and pivot deeper into critical networks, posing serious risks to industrial operations.
Source: Cyber Security News
