CVE-2025-2727
Published: 25 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-2727 is a critical command injection vulnerability affecting H3C Magic NX30 Pro routers up to version V100R007. The issue resides in an unknown part of the /api/wizard/getNetworkStatus endpoint within the HTTP POST Request Handler component. Successful exploitation allows arbitrary command execution, as classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection). The vulnerability carries a CVSS v3.1 base score of 8.0.
Exploitation requires adjacent network access (AV:A), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N). An attacker with local network proximity and minimal authentication can send a crafted HTTP POST request to the vulnerable endpoint, injecting and executing arbitrary operating system commands on the device. This grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories recommend upgrading the affected component to a patched version, as noted in the vulnerability description and linked H3C software download portal. Additional details are available via VulDB entries and a public GitHub disclosure containing the exploit.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in HTTP endpoint on network device enables exploitation of remote service for code execution (T1210) and direct arbitrary OS command execution via Unix shell (T1059.004).