What security vulnerabilities have been found in H3C Magic routers?

Multiple H3C Magic router models have been identified with critical security vulnerabilities that allow remote command injection attacks. A total of eight vulnerabilities (CVE-2025-2725 through CVE-2025-2732) have been identified, all with CVSS scores of 8.8, indicating critical severity.

What specific vulnerabilities have been identified?

Eight vulnerabilities have been identified: CVE-2025-2732 (affecting /api/wizard/getWifiNeighbour), CVE-2025-2731 (affecting /api/wizard/getDualbandSync), CVE-2025-2730 (affecting /api/wizard/getssidname), CVE-2025-2729 (affecting /api/wizard/networkSetup), CVE-2025-2728 (affecting /api/wizard/getNetworkConf), CVE-2025-2727 (affecting /api/wizard/getNetworkStatus), CVE-2025-2726 (affecting /api/esps), and CVE-2025-2725 (affecting /api/login/auth).

Which H3C Magic router models are affected?

The vulnerability affects the following H3C Magic router models up to firmware version V100R014: Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000.

Has H3C released any patches or security updates for these vulnerabilities?

As of March 25, 2025, no patches or security updates have been issued to address these vulnerabilities. The National Vulnerability Database (NVD) contacted H3C prior to publishing these CVE disclosures but received no response from the vendor.

What is the severity of these vulnerabilities?

All eight vulnerabilities have been assigned a CVSS score of 8.8, which is considered critical severity. This high score reflects the potential for remote attackers to gain root-level access to affected devices.

What are the potential consequences if these vulnerabilities are exploited?

If exploited, these vulnerabilities allow attackers to execute commands with the highest privileges on the affected devices. This can lead to complete compromise of the router, potentially allowing attackers to intercept network traffic, modify device configurations, create backdoors, or use the device as a pivot point for further attacks on the network.

Advisory

Multiple vulnerabilities reported in H3C Magic Router models

published: March 25, 2025

Take action: H3C Magic Router models have multiple flaws, which are very near critical - and there is no patch. Make sure you isolate the HTTP protocol interface to these devices from the internet make it accessible only from trusted networks. Contact the vendor for patches, and then consider replacing them if the vendor doesn't provide fixes.

Learn More

Multiple H3C Magic router models have been identified with critical security vulnerabilities that allow remote command injection attacks.

The vulnerabilities allow attackers to send specially crafted POST requests to vulnerable API endpoints without authorization. These requests trigger specific handler functions within the API files, exploiting a security oversight where the backtick character (`) is not filtered as dangerous. This allows command injection with the highest privileges on the device.

A total of eight vulnerabilities have been identified across these models, all involving command injection attacks that can be executed remotely:

CVE-2025-2732 (CVSS score 8.8), affecting the /api/wizard/getWifiNeighbour component of the HTTP POST Request Handler
CVE-2025-2731 (CVSS score 8.8), affecting the /api/wizard/getDualbandSync component of the HTTP POST Request Handler
CVE-2025-2730 (CVSS score 8.8), affecting the /api/wizard/getssidname component of the HTTP POST Request Handler
CVE-2025-2729 (CVSS score 8.8), affecting the /api/wizard/networkSetup component of the HTTP POST Request Handler
CVE-2025-2728 (CVSS score 8.8), affecting the /api/wizard/getNetworkConf component
CVE-2025-2727 (CVSS score 8.8), affecting the /api/wizard/getNetworkStatus component of the HTTP POST Request Handler
CVE-2025-2726 (CVSS score 8.8), affecting the /api/esps component of the HTTP POST Request Handler
CVE-2025-2725 (CVSS score 8.8), affecting the /api/login/auth component of the HTTP POST Request Handler

For example, CVE-2025-2725 enables attackers to use the body of a POST request to trigger the FCGI_UserLogin function, initiating a cascade of functions that results in remote command execution. Attackers can then log in as the root user without a password and gain access to a root shell.

The vulnerability affects the following H3C Magic router models up to firmware version V100R014:

Magic NX15
Magic NX30 Pro
Magic NX400
Magic R3010
Magic BE18000

The National Vulnerability Database (NVD) contacted H3C prior to publishing these CVE disclosures but received no response from the vendor. As of the publication date (March 25, 2025), no patches or security updates have been issued to address these vulnerabilities.

Since no official patch is currently available, organizations and individuals using affected H3C Magic router models should consider implementing network-level protections to restrict access to the devices' web interfaces.

Multiple vulnerabilities reported in H3C Magic Router models

Read More
Cisco patches Identity Services Engine flaw after public …
KerioControl firewall flaw actively exploited by hackers
OWASP CRS Patches Critical Multipart Charset Validation Bypass
Critical flaws reported in DrayTek routers, over 700,000 …
CISA reports active expploit of Sierra Wireless Router …