CVE-2025-3543

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014

Description: A critical vulnerability has been found in H3C Magic NX series devices, affecting the function FCGI WizardProtoProcess of the file /api/wizard/setsyncpppoecfg of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used.

Recommendations: To resolve the issue, upgrade the affected component to a version later than V100R014 for each of the following devices: H3C Magic NX15 H3C Magic NX30 Pro H3C Magic NX400 H3C Magic R3010 As a temporary workaround, consider restricting access to the /api/wizard/setsyncpppoecfg API endpoint and disabling the FCGI WizardProtoProcess function until a patch is available.