H3C Magic R3010
Easy fix4 remedies
cpe:2.3:h:h3c:magic_r160:*:*:*:*:*:*:*
Easy fix4 remedies
- <= V100R014
H3C Magic Products Command Injection Vulnerability
Vulnerability
Patched
A critical command injection vulnerability has been identified in several H3C Magic home router models, including the NX15, NX30 Pro, NX400, and R3010, all prior to V100R014. The vulnerability resides in the HTTP POST request handler, specifically within the 'FCGI_WizardProtoProcess' function of the '/api/wizard/getCapability' endpoint. Exploitation of this vulnerability allows an attacker to execute arbitrary commands on the device, potentially leading to unauthorized access or control. The issue can only be exploited from within the local network.
Impact
Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the affected device. This could lead to unauthorized access or control over the device, and in some cases, could disrupt the user's network connectivity.
Reproduction
To reproduce this vulnerability, send an authenticated HTTP POST request to the '/api/wizard/getCapability' endpoint. The request must include a payload that exploits the command injection vulnerability. This can be done using a tool like Burp Suite or by manually crafting the request with the malicious payload.
Remediation
Users are advised to upgrade to the latest version of the affected products. The upgrade is available on the H3C official website.
Added: Sep 1, 2025, 7:22 PM
Updated: Sep 1, 2025, 7:22 PM
Vulnerability Rating
Custom Algorithm
spread
0.3impact
7.5exploitability
9.1remediation
8.3relevance
0.0threat
6.4urgency
2.9incentive
9.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.