CVE-2025-3546

EPSS 1.07%
Veröffentlicht 14.04.2025 01:31:07
Zuletzt bearbeitet 13.02.2026 21:47:58
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getLanguage of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

H3c ≫ Magic Nx15 Firmware Version <= 100r014

H3c ≫ Magic Nx15 Version-

H3c ≫ Magic Nx30 Pro Firmware Version <= 100r014

H3c ≫ Magic Nx30 Pro Version-

H3c ≫ Magic Nx400 Firmware Version <= 100r014

H3c ≫ Magic Nx400 Version-

H3c ≫ Magic R3010 Firmware Version <= 100r014

H3c ≫ Magic R3010 Version-

H3c ≫ Magic Be18000 Firmware Version <= 100r014

H3c ≫ Magic Be18000 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.07%	0.774

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	8.6	0	0	CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	8	2.1	5.9	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com	7.7	5.1	10	AV:A/AC:L/Au:S/C:C/I:C/A:C

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/

Product

https://zhiliao.h3c.com/theme/details/229784

Vendor Advisory

https://vuldb.com/?id.304585

Third Party Advisory

VDB Entry

https://vuldb.com/?ctiid.304585

VDB Entry

Permissions Required

https://vuldb.com/?submit.524745

Third Party Advisory