CVE-2025-3539

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014

Description: A critical vulnerability has been found in H3C Magic devices, affecting the function FCGI CheckStringIfContainsSemicolon of the file "/api/wizard/getBasicInfo" of the component HTTP POST Request Handler. This leads to command injection. The attack can only be done within the local network.

Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic NX400 versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic R3010 versions up to V100R014, upgrade the affected component to a newer version. For H3C Magic BE18000 versions up to V100R014, upgrade the affected component to a newer version. As a temporary workaround, consider disabling the FCGI CheckStringIfContainsSemicolon function until a patch is available. Restrict access to the "/api/wizard/getBasicInfo" API endpoint to minimize the risk of exploitation.