H3C Magic Products Command Injection Vulnerability in Network Setup API

A critical command injection vulnerability has been identified in several H3C Magic products, including the NX15, NX30 Pro, NX400, R3010, and BE18000, all prior to their respective latest versions. The vulnerability arises from an unknown processing issue in the HTTP POST request handler for the '/api/wizard/networkSetup' endpoint. This flaw allows attackers to inject commands that could be executed on the device. Exploitation requires access to the local network.

Impact

Exploitation of this vulnerability allows for unauthorized command injection, potentially leading to arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send an authenticated HTTP POST request to the '/api/wizard/networkSetup' endpoint with a payload that includes the command to be executed. This can be done using tools like curl or Postman.

Remediation

Users are advised to upgrade to the latest version of the affected products. The latest versions for each product can be downloaded from the H3C official website.