Primary

Context

H3C Magic NX30 Pro and Magic NX400 Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in the H3C Magic NX30 Pro and Magic NX400 routers, all versions prior to V100R014. The issue arises in the '/api/wizard/getNetworkConf' endpoint, where unauthorized manipulation can lead to execution of arbitrary commands on the device. This vulnerability requires local network access to exploit.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected router, with potential to disrupt network availability.

Reproduction

To reproduce this vulnerability, send a crafted POST request to the '/api/wizard/getNetworkConf' endpoint from within the local network. The request must be unauthorized, as the vulnerability does not require authentication.

Remediation

Users are advised to upgrade to version V100R014 or later. The updated version can be downloaded from the H3C website.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H3C Magic NX30 Pro and Magic NX400 Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating