CVE-2025-2732
📋 TL;DR
This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injection in the /api/wizard/getWifiNeighbour endpoint. Affected users include anyone using H3C Magic NX15, NX30 Pro, NX400, R3010, or BE18000 routers with firmware up to V100R014.
💻 Affected Systems
- H3C Magic NX15
- H3C Magic NX30 Pro
- H3C Magic NX400
- H3C Magic R3010
- H3C Magic BE18000
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise allowing attacker to install persistent backdoors, intercept all network traffic, pivot to other internal systems, or brick the device.
Likely Case
Attacker gains full control of router to modify network settings, intercept credentials, or use as pivot point for internal network attacks.
If Mitigated
Limited impact due to network segmentation, but still allows router compromise within its segment.
🎯 Exploit Status
Exploit details are publicly disclosed on GitHub. Attack requires local network access and likely authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V100R014
Vendor Advisory: https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/
Restart Required: Yes
Instructions:
1. Visit H3C support site. 2. Download latest firmware for your model. 3. Upload via router admin interface. 4. Apply update and restart router.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse router firewall rules to block access to /api/wizard/getWifiNeighbour endpoint
Network segmentation
allIsolate router management interface to dedicated VLAN
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach router management interface
- Monitor for suspicious POST requests to /api/wizard/getWifiNeighbour endpoint
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via admin interface. If version is V100R014 or earlier, device is vulnerable.Check Version:
Check via router web interface or SSH: show version (if available)Verify Fix Applied:
Verify firmware version is newer than V100R014 after update.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/wizard/getWifiNeighbour
- Command execution patterns in router logs
- Multiple failed authentication attempts followed by successful POST
Network Indicators:
- POST requests to router IP on port 80/443 with command injection patterns in payload
- Unusual outbound connections from router
SIEM Query:
source="router_logs" AND (uri="/api/wizard/getWifiNeighbour" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")🔗 References
- https://github.com/Qwen11/CVE_store/blob/main/H3C/vulnerability%20Information_4.md
- https://vuldb.com/?ctiid.300752
- https://vuldb.com/?id.300752
- https://vuldb.com/?submit.520499
- https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/
- https://zhiliao.h3c.com/theme/details/229784
- https://github.com/Qwen11/CVE_store/blob/main/H3C/vulnerability%20Information_4.md
