Command Injection Vulnerability in H3C Magic NX30 Pro and NX400 by H3C Technologies Co., Ltd.
CVE-2025-2728

8.6HIGH

Key Information:

Vendor: H3c
Status: Magic Nx30 Pro; Magic Nx400
Vendor: CVE Published:; 25 March 2025

What is CVE-2025-2728?

A command injection vulnerability has been identified in the H3C Magic NX30 Pro and Magic NX400 devices impacting the /api/wizard/getNetworkConf endpoint. This flaw allows unauthorized remote attackers to execute arbitrary commands on these devices. Despite prior notification to H3C Technologies Co., Ltd., the response to this security issue was not forthcoming, leaving users at risk of compromise. It is essential for organizations utilizing these products to assess their exposure and take appropriate measures.

Affected Version(s)

Magic NX30 Pro V100R014

Magic NX400 V100R014

References

https://vuldb.com/?id.300748

vdb-entrytechnical-description

https://vuldb.com/?ctiid.300748

signaturepermissions-required

https://vuldb.com/?submit.520462

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2025
Vulnerability Reserved
Mar 24, 2025

Credit

xiaopolanzi (VulDB User)

H3c

What is CVE-2025-2728?

Affected Version(s)

References

CVSS V4

Timeline

Credit