Primary

Context

H3C Magic Products Command Injection Vulnerability

Vulnerability

Patched

A command injection vulnerability has been identified in several H3C Magic home router models, including the NX15, NX30 Pro, NX400, R3010, and BE18000, all through specific versions. The vulnerability resides in the HTTP POST request handler, specifically within the 'FCGI_CheckStringIfContainsSemicolon' function, where improper input validation allows for command injection. This issue can only be exploited from within the local network.

Impact

Exploitation of this vulnerability allows for unauthorized command injection, potentially leading to arbitrary command execution on the affected device.

Remediation

Users are advised to upgrade to the latest firmware versions available on the H3C website. For specific upgrade instructions, refer to the H3C software download page.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H3C Magic Products Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

H3C Magic R3010

H3C Magic BE18000

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating