PT-2025-16196 · H3C · H3C Magic Be18000+4
Mono7S
·
Published
2025-04-14
·
Updated
2025-04-19
·
CVE-2025-3544
CVSS v2.0
7.7
High
| Vector | AV:A/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
H3C Magic NX15 versions up to V100R014
H3C Magic NX30 Pro versions up to V100R014
H3C Magic NX400 versions up to V100R014
H3C Magic R3010 versions up to V100R014
H3C Magic BE18000 versions up to V100R014
Description:
A critical issue affects the function
FCGI CheckStringIfContainsSemicolon of the file "/api/wizard/getCapabilityWeb" in the component HTTP POST Request Handler, leading to command injection. Access to the local network is required for this attack to succeed. The issue has been publicly disclosed.Recommendations:
For H3C Magic NX15 versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic NX400 versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic R3010 versions up to V100R014, upgrade the affected component to a newer version.
For H3C Magic BE18000 versions up to V100R014, upgrade the affected component to a newer version.
Exploit
Fix
Special Elements Injection
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
H3C Magic Be18000
H3C Magic Nx15
H3C Magic Nx30 Pro
H3C Magic Nx400
H3C Magic R3010