Primary

Context

H3C Magic NX30 Pro Command Injection Vulnerability

Vulnerability

A critical command injection vulnerability has been identified in the H3C Magic NX30 Pro router, affecting versions prior to V100R007. The vulnerability resides in the HTTP POST request handler, specifically within the '/api/wizard/getNetworkStatus' endpoint. Exploitation of this vulnerability requires access to the local network.

Impact

Successful exploitation allows for command injection with elevated privileges, potentially leading to unauthorized access or control over the affected device.

Reproduction

To reproduce this vulnerability, send an authenticated HTTP POST request to the '/api/wizard/getNetworkStatus' endpoint. The request must be crafted to include payloads that exploit the command injection flaw. This can be done using tools like Burp Suite or by writing a custom script that sends the malicious payloads.

Remediation

Users are advised to upgrade to version V100R007 or later. The latest version can be downloaded from the H3C official website.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H3C Magic NX30 Pro Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating