CVE-2025-2727: H3C Magic NX30 Pro HTTP POST Request getNetworkStatus command injection
Description
A vulnerability, which was classified as critical, was found in H3C Magic NX30 Pro up to V100R007. This affects an unknown part of the file /api/wizard/getNetworkStatus of the component HTTP POST Request Handler. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine kritische Schwachstelle in H3C Magic NX30 Pro bis V100R007 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei /api/wizard/getNetworkStatus der Komponente HTTP POST Request Handler. Durch das Manipulieren mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-2727
CVSS Base Severity: HIGH
CVSS Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
Vendor: H3C
Product: Magic NX30 Pro
Exploit Prediction Scoring System (EPSS)
EPSS Score: 1.54% (probability of being exploited)
EPSS Percentile: 80.31% (scored less or equal to compared to others)
EPSS Date: 2025-04-22 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2727https://vuldb.com/?id.300747
https://vuldb.com/?ctiid.300747
https://vuldb.com/?submit.520394
https://github.com/ggstrunk/CVE/blob/main/wizard_getNetworkStatus.md