CVE-2025-3546
📋 TL;DR
This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injection in the FCGI_CheckStringIfContainsSemicolon function. The exploit targets the HTTP POST request handler in the language configuration API endpoint, potentially giving attackers full control of affected devices. Organizations using H3C Magic NX15, NX30 Pro, NX400, R3010, and BE18000 routers up to version V100R014 are affected.
💻 Affected Systems
- H3C Magic NX15
- H3C Magic NX30 Pro
- H3C Magic NX400
- H3C Magic R3010
- H3C Magic BE18000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, intercept all network traffic, pivot to other internal systems, and potentially disrupt network operations.
Likely Case
Attackers gain shell access to the router, enabling them to modify configurations, steal credentials, monitor network traffic, and use the device as a foothold for lateral movement.
If Mitigated
With proper network segmentation and access controls, impact is limited to the compromised device only, preventing lateral movement to critical systems.
🎯 Exploit Status
Exploit code is publicly available on GitHub. Attack requires authentication to the router's web interface but is straightforward to execute once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V100R014
Vendor Advisory: https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/
Restart Required: Yes
Instructions:
1. Visit H3C's official download portal. 2. Locate your specific router model. 3. Download the latest firmware version (after V100R014). 4. Access router web interface. 5. Navigate to firmware upgrade section. 6. Upload and install the new firmware. 7. Reboot the router.
🔧 Temporary Workarounds
Restrict Web Interface Access
linuxLimit access to the router's web administration interface to trusted management IP addresses only.
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Unnecessary API Endpoints
linuxBlock access to the vulnerable /api/wizard/getLanguage endpoint if not required for operations.
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /api/wizard/getLanguage" --algo bm -j DROP
🧯 If You Can't Patch
- Segment affected routers into isolated VLANs to prevent lateral movement if compromised.
- Implement strict network monitoring and alerting for unusual outbound connections from router devices.
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via web interface: System Status > Firmware Version. If version is V100R014 or earlier, device is vulnerable.Check Version:
curl -k -s https://ROUTER_IP/api/wizard/getLanguage -X POST -H "Content-Type: application/json" -d '{"language":"test"}' | grep -i versionVerify Fix Applied:
After upgrading, verify firmware version shows a version higher than V100R014. Test the /api/wizard/getLanguage endpoint with proper authorization to ensure command injection is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/wizard/getLanguage with semicolon characters in payload
- Multiple failed authentication attempts followed by successful login and API access
- System logs showing unexpected command execution or process creation
Network Indicators:
- Outbound connections from router to suspicious external IPs
- Unusual traffic patterns from router to internal systems
- DNS queries for command-and-control domains from router
SIEM Query:
source="router_logs" AND (uri="/api/wizard/getLanguage" AND method="POST" AND payload CONTAINS ";") OR (process="sh" OR process="bash" AND parent_process="httpd")