CVE-2024-38902 – H3C Magic R230 routers running V100R002 contain... (How to Fix)

Q: What is the severity of CVE-2024-38902?

CVE-2024-38902 has a CVSS score of 9.8 (CRITICAL). H3C Magic R230 routers running V100R002 contain a hardcoded root password in /etc/shadow, allowing attackers to gain full administrative control. This affects all devices running the vulnerable firmware version. Attackers can exploit this to compromise the router and potentially pivot to connected networks.

📋 TL;DR

H3C Magic R230 routers running V100R002 contain a hardcoded root password in /etc/shadow, allowing attackers to gain full administrative control. This affects all devices running the vulnerable firmware version. Attackers can exploit this to compromise the router and potentially pivot to connected networks.

💻 Affected Systems

Products:

H3C Magic R230

Versions: V100R002

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this firmware version are vulnerable out-of-the-box.

📦 What is this software?

Magic R230 Firmware by H3c

View all CVEs affecting Magic R230 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover, credential harvesting, network pivoting, persistent backdoor installation, and data exfiltration from connected devices.

🟠

Likely Case

Router compromise leading to network traffic interception, DNS hijacking, and unauthorized access to connected systems.

🟢

If Mitigated

Limited impact if device is isolated, not internet-facing, and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires SSH or telnet access to the device. The hardcoded password is publicly documented in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check H3C vendor website for firmware updates. If available, download and apply the latest firmware following vendor instructions.

🔧 Temporary Workarounds

Change root password

linux

Manually change the root password to a strong, unique password

passwd root

Disable remote root login

linux

Modify SSH configuration to prevent root login

sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
service ssh restart

🧯 If You Can't Patch

Isolate affected devices in a separate network segment
Implement strict firewall rules to limit access to management interfaces

🔍 How to Verify

Check if Vulnerable:

Check /etc/shadow file for hardcoded password: grep root /etc/shadow

Check Version:

cat /etc/version or check web interface

Verify Fix Applied:

Verify root password hash has changed and SSH root login is disabled

📡 Detection & Monitoring

Log Indicators:

Failed SSH login attempts followed by successful root login
Unusual root login from unexpected IP addresses

Network Indicators:

SSH or telnet connections to router management interface from suspicious sources

SIEM Query:

source="router.log" ("Accepted password for root" OR "session opened for user root")

📊 Metadata

CVE ID: CVE-2024-38902

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-259

Published: June 24, 2024

Last Updated: May 27, 2025

🔗 References

https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/H3C/Magic%20R230/hardcode/README.md Exploit,Third Party Advisory
https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/H3C/Magic%20R230/hardcode/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38902, you might also want to check these: