Primary

Context

H3C Magic Products Command Injection Vulnerability

Vulnerability

Patched

A critical command injection vulnerability has been identified in several H3C Magic router models, including the NX15, NX30 Pro, NX400, R3010, and BE18000, all running versions prior to the latest release. The vulnerability resides in the HTTP POST request handler, specifically within the 'FCGI_CheckStringIfContainsSemicolon' function, where improper input handling allows for command injection. Exploitation of this vulnerability requires local network access.

Impact

Exploitation of this vulnerability allows for unauthorized command injection, potentially leading to arbitrary command execution on the affected device.

Remediation

Users are advised to upgrade to the latest version available for their specific router model. The updated versions can be downloaded from the H3C official website or through the H3C service app. For detailed upgrade instructions, please refer to the H3C partner resource center.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H3C Magic Products Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

H3C Magic R3010

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating