PT-2025-16196 · H3C · H3C Magic Be18000+4
Mono7S
·
Publicado
2025-04-14
·
Atualizado
2025-04-19
·
CVE-2025-3544
CVSS v2.0
7.7
Alta
| Vetor | AV:A/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
H3C Magic NX15 versions up to V100R014
H3C Magic NX30 Pro versions up to V100R014
H3C Magic NX400 versions up to V100R014
H3C Magic R3010 versions up to V100R014
H3C Magic BE18000 versions up to V100R014
Description:
A critical issue affects the function
FCGI CheckStringIfContainsSemicolon of the file "/api/wizard/getCapabilityWeb" in the component HTTP POST Request Handler, leading to command injection. Access to the local network is required for this attack to succeed. The issue has been publicly disclosed.Recommendations:
For H3C Magic NX15 versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic NX400 versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic R3010 versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic BE18000 versions up to V100R014, upgrade the affected component to a newer version.
Exploit
Correção
Special Elements Injection
Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
H3C Magic Be18000
H3C Magic Nx15
H3C Magic Nx30 Pro
H3C Magic Nx400
H3C Magic R3010