- Several models of H3C magical routers have critical vulnerabilities
- Vulnerabilities allow the escalation of privileges and command injection
- So far no patch has been issued for vulnerabilities
Several models of H3C magical routors are vulnerable to command injection attacks that can be launched remotely, according to several new critics of CVE in the NIST national vulnerability database.
A total of 8 vulnerabilities have been listed in 5 different models of H3C Magic Router, and all obtained a score of 8.8 in the gravity score.
The affected models in question are the H3C MAGIC NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic Be18000.
Routers vulnerable to command injection
Vulnerabilities are tracked as CVE-2025-2725-THROW-2732 and allow an attacker to send a package or application specially prepared without authorization to Vulnerable API to obtain the highest privileges available on the device.
Packaging packages are designed to activate specific functions of the controller within the API files, allowing an attacker to use the setback (`), which does not filter as a dangerous character, for the injection of commands with the highest privileges.
Several of the vulnerable routes contain functions to verify the dangerous characters such as the semicolons, but it seems that the setback was not included as a dangerous character that allowed the attack to avoid these functions.
For the H3C Magic NX15, CVE-2025-2725 allows an attacker to use the body of a subsequent application to activate the FCGI_userlogin function, starting a cascade of functions that results in the attacker can execute commands remotely, again using the buttless butt. The attacker can log in as a root user without using a password and access a root shell.
NVD contacted H3C before listing CVE revelations, but did not receive an answer. Currently, no patch has been issued to address vulnerabilities. The complete list of vulnerabilities can be found here.
