Primary

Context

H3C Magic Products Command Injection Vulnerability

Vulnerability

Patched

A critical command injection vulnerability has been identified in H3C Magic NX15, NX400, and R3010 routers, all versions prior to V100R014. The vulnerability resides in the HTTP POST request handler, specifically within the 'FCGI_WizardProtoProcess' function of the '/api/wizard/getsyncpppoecfg' file. Exploitation of this vulnerability requires local network access.

Impact

Exploitation of this vulnerability allows for unauthorized command injection, potentially leading to arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP POST request to the '/api/wizard/getsyncpppoecfg' endpoint. This request must be initiated from within the local network.

Remediation

Users are advised to upgrade to H3C Magic NX15 V100R014L01, NX400 V100R014L01, R3010 V100R008L01, or to the latest version of the respective product.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

8.3

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

8.3

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H3C Magic Products Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

H3C Magic R3010

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating