CVE-2025-2729

CVE-2025-2729 is a critical command injection vulnerability (CVSS 3.1 score of 8.0, vector AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting the HTTP POST Request Handler component in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 devices up to version V100R014. The issue arises in the processing of the /api/wizard/networkSetup file or endpoint, linked to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Command Injection). Published on 2025-03-25, it enables manipulation leading to arbitrary command execution.

Exploitation is limited to the local network (AV:A), requiring low attack complexity (AC:L) and low privileges (PR:L), with no user interaction (UI:N). An attacker with adjacent network access and minimal authentication can inject commands via HTTP POST requests to the vulnerable endpoint, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Advisories, including those from VulDB and a GitHub repository documenting the issue, recommend upgrading the affected component to a patched version. The H3C software download portal provides relevant updates.

The exploit has been publicly disclosed and may be used in attacks.