CVE-2025-2731
Published: 25 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-2731 is a critical command injection vulnerability (CVSS 8.0, CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) discovered in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 routers up to version V100R014. The issue resides in an unknown functionality of the /api/wizard/getDualbandSync endpoint within the HTTP POST Request Handler component and is linked to CWE-74 and CWE-77. Published on 2025-03-25, it enables manipulation via crafted POST requests.
An attacker on the adjacent local network with low privileges can exploit this vulnerability by sending a malicious HTTP POST request to the affected endpoint, requiring low complexity and no user interaction. Successful exploitation leads to arbitrary command injection, granting high-impact compromise of confidentiality, integrity, and availability on the targeted device.
Advisories recommend upgrading the affected component to a patched version as the primary mitigation. Details are available via VulDB entries and the H3C software download portal for relevant firmware updates.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a command injection vulnerability in a router's HTTP API endpoint, allowing arbitrary command execution via crafted POST requests from an adjacent network. This directly maps to exploitation of remote services (T1210) and command execution via Unix shell (T1059.004).