CVE-2025-3545

Name of the Vulnerable Software and Affected Versions: H3C Magic NX15 versions up to V100R014 H3C Magic NX30 Pro versions up to V100R014 H3C Magic NX400 versions up to V100R014 H3C Magic R3010 versions up to V100R014 H3C Magic BE18000 versions up to V100R014

Description: A critical issue has been found in H3C network devices, affecting the function FCGI CheckStringIfContainsSemicolon of the /api/wizard/setLanguage component in the HTTP POST Request Handler. This leads to command injection. The attack must be launched from within the local network.

Recommendations: For H3C Magic NX15 versions up to V100R014, upgrade the affected component. For H3C Magic NX30 Pro versions up to V100R014, upgrade the affected component. For H3C Magic NX400 versions up to V100R014, upgrade the affected component. For H3C Magic R3010 versions up to V100R014, upgrade the affected component. For H3C Magic BE18000 versions up to V100R014, upgrade the affected component. As a temporary workaround, consider disabling the FCGI CheckStringIfContainsSemicolon function until a patch is available. Restrict access to the /api/wizard/setLanguage API endpoint to minimize the risk of exploitation.