CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-2728: H3C Magic NX30 Pro/Magic NX400 getNetworkConf command injection

8.7 CVSS

Description

A vulnerability has been found in H3C Magic NX30 Pro and Magic NX400 up to V100R014 and classified as critical. This vulnerability affects unknown code of the file /api/wizard/getNetworkConf. The manipulation leads to command injection. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. In H3C Magic NX30 Pro and Magic NX400 bis V100R014 wurde eine kritische Schwachstelle gefunden. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /api/wizard/getNetworkConf. Durch Manipulieren mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen.

Classification

CVE ID: CVE-2025-2728

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

Command Injection Injection

Affected Products

Vendor: H3C, H3C

Product: Magic NX30 Pro, Magic NX400

Exploit Prediction Scoring System (EPSS)

EPSS Score: 1.54% (probability of being exploited)

EPSS Percentile: 80.31% (scored less or equal to compared to others)

EPSS Date: 2025-04-22 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2728
https://vuldb.com/?id.300748
https://vuldb.com/?ctiid.300748
https://vuldb.com/?submit.520462
https://github.com/RK1Y8/cve_cve/blob/main/h3c.md

Timeline

2025-03-25 03:40:12 UTC
CVE

H3C Magic NX30 Pro/Magic NX400 getNetworkConf command injection