PT-2025-16190 · H3C · H3C Magic R3010+3
Mono7S
·
Published
2025-04-13
·
Updated
2025-04-17
·
CVE-2025-3540
CVSS v2.0
7.7
High
| Vector | AV:A/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
H3C Magic NX15 versions up to V100R014
H3C Magic NX30 Pro versions up to V100R014
H3C Magic NX400 versions up to V100R014
H3C Magic R3010 versions up to V100R014
Description:
A critical vulnerability was found in the H3C Magic NX series, affecting the function
FCGI WizardProtoProcess of the /api/wizard/getCapability API endpoint in the HTTP POST Request Handler component. This vulnerability leads to command injection. The attack can only be initiated within the local network.Recommendations:
For H3C Magic NX15 versions up to V100R014, upgrade the affected component.
For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component.
For H3C Magic NX400 versions up to V100R014, upgrade the affected component.
For H3C Magic R3010 versions up to V100R014, upgrade the affected component.
As a temporary workaround, consider disabling the
FCGI WizardProtoProcess function until a patch is available.Exploit
Fix
Special Elements Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
H3C Magic Nx15
H3C Magic Nx30 Pro
H3C Magic Nx400
H3C Magic R3010