Primary

Context

H3C Magic Products Command Injection Vulnerability in HTTP POST Request Handler

Vulnerability

Patched

A critical command injection vulnerability has been identified in several H3C Magic products, including the NX15, NX30 Pro, NX400, R3010, and BE18000, all prior to V100R014. The vulnerability resides in the HTTP POST request handler, specifically within the '/api/login/auth' endpoint. Exploitation of this vulnerability requires access to the local network.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device, with the potential to disrupt network availability.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP POST request to the '/api/login/auth' endpoint without authentication. This can be done from within the local network.

Remediation

Users are advised to upgrade to the latest version of the affected products. The upgrade is available on the H3C Software Download page.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H3C Magic Products Command Injection Vulnerability in HTTP POST Request Handler

Vulnerability

Impact

Reproduction

Remediation

Affected Products

H3C Magic R3010

H3C Magic BE18000

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating