CVE-2025-2729: H3C Magic BE18000 HTTP POST Request networkSetup command injection
Description
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects some unknown processing of the file /api/wizard/networkSetup of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine kritische Schwachstelle wurde in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 bis V100R014 gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /api/wizard/networkSetup der Komponente HTTP POST Request Handler. Durch das Beeinflussen mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-2729
CVSS Base Severity: HIGH
CVSS Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
Vendor: H3C, H3C, H3C, H3C, H3C
Product: Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, Magic BE18000
Exploit Prediction Scoring System (EPSS)
EPSS Score: 1.54% (probability of being exploited)
EPSS Percentile: 80.31% (scored less or equal to compared to others)
EPSS Date: 2025-04-22 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2729https://vuldb.com/?id.300749
https://vuldb.com/?ctiid.300749
https://vuldb.com/?submit.520494
https://github.com/Qwen11/CVE_store/blob/main/H3C/vulnerability%20Information_1.md