CVE-2025-2728
Published: 25 March 2025
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2025-2728 is a critical command injection vulnerability (classified under CWE-74 and CWE-77) in H3C Magic NX30 Pro and Magic NX400 routers up to version V100R014. The issue resides in unknown code within the /api/wizard/getNetworkConf file, where manipulation enables command injection. Published on 2025-03-25, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to be within the local network (adjacent access), with low attack complexity and low privileges such as a valid user account. No user interaction is needed, and successful command injection can lead to high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of the affected device.
Advisories, including those from VulDB and the H3C software download portal, recommend upgrading the affected component to mitigate the vulnerability. Additional details are available in referenced sources such as the GitHub repository at https://github.com/RK1Y8/cve_cve/blob/main/h3c.md and VulDB entries.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The command injection vulnerability (CWE-74/77) in the router's web API directly enables arbitrary OS command execution on the network device, mapping to abuse of built-in network device CLIs for command execution.