Command Injection Vulnerability in H3C Magic NX30 Pro and NX400 by H3C Technologies Co., Ltd.
CVE-2025-2728

8.6HIGH

Key Information:

Vendor
H3c
Status
Magic Nx30 Pro
Magic Nx400
Vendor
CVE Published:
25 March 2025

Summary

A command injection vulnerability has been identified in the H3C Magic NX30 Pro and Magic NX400 devices impacting the /api/wizard/getNetworkConf endpoint. This flaw allows unauthorized remote attackers to execute arbitrary commands on these devices. Despite prior notification to H3C Technologies Co., Ltd., the response to this security issue was not forthcoming, leaving users at risk of compromise. It is essential for organizations utilizing these products to assess their exposure and take appropriate measures.

Affected Version(s)

Magic NX30 Pro V100R014

Magic NX400 V100R014

References

https://vuldb.com/?id.300748
vdb-entrytechnical-description
https://vuldb.com/?ctiid.300748
signaturepermissions-required
https://vuldb.com/?submit.520462
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

xiaopolanzi (VulDB User)
.