CVE-2025-2725

CVE-2025-2725 is a critical command injection vulnerability (CVSS 8.0; CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting an unknown functionality in the /api/login/auth file of the HTTP POST Request Handler component. The vulnerability impacts H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 routers running versions up to V100R014. It is classified under CWE-74 and CWE-77.

Exploitation requires an attacker positioned within the local network (adjacent network access), possessing low privileges (PR:L), and involves low-complexity manipulation of HTTP POST requests with no user interaction required. Successful attacks enable arbitrary command injection, resulting in high impacts to confidentiality, integrity, and availability.

Advisories recommend upgrading the affected component to a patched version. Relevant resources include the H3C software download portal at https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/, VulDB entries detailing the issue (https://vuldb.com/?ctiid.300745, https://vuldb.com/?id.300745, https://vuldb.com/?submit.520390), and a GitHub repository with vulnerability information (https://github.com/ZIKH26/CVE-information/blob/master/H3C/Vulnerability%20Information_1.md).

The exploit has been publicly disclosed and may be actively used by attackers.