CVE-2025-3540: H3C Magic NX15/Magic NX30 Pro/Magic NX400/Magic R3010 HTTP POST Request getCapability FCGI_WizardProtoProcess command injection
Description
A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 up to V100R014. Affected by this vulnerability is the function FCGI_WizardProtoProcess of the file /api/wizard/getCapability of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. In H3C Magic NX15, Magic NX30 Pro, Magic NX400 and Magic R3010 bis V100R014 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es die Funktion FCGI_WizardProtoProcess der Datei /api/wizard/getCapability der Komponente HTTP POST Request Handler. Dank der Manipulation mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff im lokalen Netzwerk. Der Exploit steht zur öffentlichen Verfügung. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
Classification
CVE ID: CVE-2025-3540
CVSS Base Severity: HIGH
CVSS Base Score: 8.6
CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
Vendor: H3C
Product: Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.79% (probability of being exploited)
EPSS Percentile: 71.8% (scored less or equal to compared to others)
EPSS Date: 2025-04-14 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3540https://vuldb.com/?id.304579
https://vuldb.com/?ctiid.304579
https://vuldb.com/?submit.524734
https://gist.github.com/mono7s/882650a9a9b54bedc374caf8308efef2
https://zhiliao.h3c.com/theme/details/229784
https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/