Unauthorized Access in H3C Devices Due to Insecure Default Credentials
CVE-2025-57295

8HIGH

Key Information:

Vendor: H3C
Status: H3C Devices
Vendor: CVE Published:; 18 September 2025

What is CVE-2025-57295?

H3C devices with NX15V100R015 firmware are exposed to significant security risks due to the use of insecure default credentials. The root user account is configured without a password, while the H3C user account retains the default password 'admin', both of which are stored in the /etc/shadow file. Attackers can exploit these vulnerabilities by gaining network access and using the default credentials to access the administrative interface or other network services. This unauthorized access can lead to privilege escalation, information disclosure, and even arbitrary code execution, compromising the integrity and security of the entire network.

References

https://github.com/ZZ2266/.github.io/blob/main/H3C/readme.md

https://www.h3c.com/cn/d_202504/2407151_30005_0.htm

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 18, 2025
Vulnerability Reserved
Aug 17, 2025

JSON