CVE-2025-3541

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15, Magic NX30 Pro, Magic NX400, and Magic R3010 versions up to V100R014

Description: A critical issue has been found in the affected devices, specifically in the function FCGI WizardProtoProcess of the /api/wizard/getSpecs endpoint of the HTTP POST Request Handler component. This issue leads to command injection. The attack must be performed within the local network.

Recommendations: For H3C Magic NX15, Magic NX30 Pro, Magic NX400, and Magic R3010 versions up to V100R014, it is recommended to upgrade the affected component to a version that is not affected by this issue. As a temporary workaround, consider disabling the FCGI WizardProtoProcess function until a patch is available. Restrict access to the /api/wizard/getSpecs endpoint to minimize the risk of exploitation.