Command Injection Vulnerability in H3C Magic NX15 and NX400 Devices
CVE-2025-3542

8HIGH

Key Information:

Vendor: H3C Technologies Co., Ltd.
Status: H3C Magic NX15, NX400, R3010
Vendor: CVE Published:; 14 April 2025

Summary

A command injection vulnerability has been identified in the HTTP POST Request Handler of the affected H3C Magic devices. Specifically, the flaw resides in the FCGI_WizardProtoProcess function within the /api/wizard/getsyncpppoecfg file. This vulnerability allows an attacker to execute arbitrary commands if they are within the local network. Given that the exploit has been made public, it is crucial for users to upgrade their affected devices to mitigate the risks associated with this vulnerability.

References

https://gist.github.com/mono7s/dd7a0a1ec444bb2c228590d298...

https://vuldb.com/?ctiid.304581

https://vuldb.com/?id.304581

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 14, 2025