CVE-2025-2730
📋 TL;DR
This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injection in the /api/wizard/getssidname endpoint. Affected users include anyone using H3C Magic NX15, NX30 Pro, NX400, R3010, or BE18000 routers with firmware up to V100R014.
💻 Affected Systems
- H3C Magic NX15
- H3C Magic NX30 Pro
- H3C Magic NX400
- H3C Magic R3010
- H3C Magic BE18000
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full router compromise allowing attacker to intercept all network traffic, install persistent backdoors, pivot to other internal systems, or brick the device.
Likely Case
Router takeover enabling network traffic monitoring, credential theft, DNS hijacking, and lateral movement to connected devices.
If Mitigated
Limited impact due to network segmentation and strict access controls preventing local network access by unauthorized users.
🎯 Exploit Status
Public exploit code available on GitHub. Requires authenticated access to the router web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V100R015 or later
Vendor Advisory: https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from H3C website. 4. Upload and install firmware. 5. Reboot router after installation.
🔧 Temporary Workarounds
Disable remote management
allPrevent access to router web interface from local network except from trusted management stations
Network segmentation
allIsolate router management interface to separate VLAN with strict access controls
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access router management interface
- Monitor for suspicious POST requests to /api/wizard/getssidname endpoint
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin interface under System Status. If version is V100R014 or earlier, device is vulnerable.Check Version:
Login to router web interface and navigate to System Status pageVerify Fix Applied:
After patching, verify firmware version shows V100R015 or later in System Status page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/wizard/getssidname
- Multiple failed authentication attempts followed by successful login
- Commands containing shell metacharacters in HTTP parameters
Network Indicators:
- Unusual outbound connections from router to external IPs
- DNS queries to suspicious domains from router
SIEM Query:
source="router_logs" AND (uri="/api/wizard/getssidname" OR (method="POST" AND uri CONTAINS "wizard"))🔗 References
- https://github.com/Qwen11/CVE_store/blob/main/H3C/vulnerability%20Information_2.md
- https://vuldb.com/?ctiid.300750
- https://vuldb.com/?id.300750
- https://vuldb.com/?submit.520495
- https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/
- https://zhiliao.h3c.com/theme/details/229784
