Cyber Posture

CVE-2025-60262

CriticalPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 54.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and…

more

remote attackers could gain root-level control over the devices.

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match
prevent

CM-6 directly mitigates the vsftpd misconfiguration by requiring secure configuration settings that prevent anonymous FTP uploads from creating root-owned files.

CM-7 Least Functionality good match
prevent

CM-7 enforces least functionality by prohibiting or restricting unnecessary anonymous FTP services on affected H3C devices.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 limits permitted actions without identification or authentication, preventing anonymous FTP uploads that gain root ownership and enable remote control.

Security SummaryAI

CVE-2025-60262 is a misconfiguration vulnerability in the vsftpd FTP service on H3C M102G HM1A0V200R010 wireless controllers and BA1500L SWBA1A0V100R006 wireless access points. Published on 2026-01-06, it stems from CWE-276 (Incorrect Default Permissions), where files uploaded anonymously via FTP are automatically owned by the root user. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Remote attackers can exploit this vulnerability without authentication by connecting to the FTP service and uploading malicious files anonymously. Since these files gain root ownership, attackers can achieve full root-level control over the affected devices, potentially enabling arbitrary code execution, persistence, or further network compromise.

Mitigation details are outlined in advisories referenced at https://www.notion.so/23e54a1113e780d686fbe1624ee0465d and https://www.notion.so/Misconfiguration-in-H3C-23e54a1113e780d686fbe1624ee0465d.

Details

CWE(s)
CWE-276

Affected Products

h3c
mc102-g firmware
hm1a0v200r010
h3c
magic ba1500l firmware
swba1a0v100r006

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote attackers to upload files via public-facing FTP service (T1190, T1210) that gain root ownership due to incorrect default permissions (T1044), enabling root-level arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References