CVE-2025-4998

6.5 MEDIUM

Denial of Service

📋 TL;DR

This vulnerability in H3C Magic R200G routers allows remote attackers to cause denial of service by manipulating parameters in specific HTTP POST requests. Affected users are those running vulnerable firmware versions on these routers, potentially disrupting network connectivity.

💻 Affected Systems

Products:

• H3C Magic R200G

Versions: Up to firmware version 100R002

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable by default. The web management interface must be accessible for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router unavailability requiring physical reset or replacement, disrupting all network services for connected devices.

🟠

Likely Case

Temporary service disruption affecting Wi-Fi and network connectivity until router restart.

🟢

If Mitigated

Minimal impact if routers are behind firewalls with restricted HTTP access or if vulnerable endpoints are blocked.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-exposed routers particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires sending crafted HTTP POST requests to specific endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor H3C security advisories for updates. Consider upgrading to newer router models if available.

🔧 Temporary Workarounds

Block Vulnerable Endpoints

linux

Use firewall rules to block access to /goform/aspForm endpoints

Copy

iptables -A INPUT -p tcp --dport 80 -m string --string "/goform/aspForm" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/goform/aspForm" --algo bm -j DROP

Disable Web Management Interface

all

Turn off remote web management if not required

🧯 If You Can't Patch

• Place routers behind firewalls with strict inbound rules, allowing only necessary management IPs
• Change default credentials and implement strong authentication for management interfaces

🔍 How to Verify

Check if Vulnerable:

Copy

Check firmware version via router web interface at System Status > Firmware Version. If version is 100R002 or earlier, device is vulnerable.

Check Version:

Copy

curl -s http://router-ip/ | grep -i firmware || Check web interface manually

Verify Fix Applied:

Copy

No fix available to verify. Monitor for firmware updates from H3C.

📡 Detection & Monitoring

Log Indicators:

• Multiple HTTP POST requests to /goform/aspForm with unusual parameters
• Router reboot events or service disruption logs

Network Indicators:

• HTTP traffic to router on ports 80/443 containing strings like Edit_BasicSSID, SetAPWifiorLedInfoById, or AddMacList

SIEM Query:

Copy

source="router_logs" AND (url="/goform/aspForm" OR method="POST") AND (param="Edit_BasicSSID" OR param="SetAPWifiorLedInfoById")

📊 Metadata

CVE ID: CVE-2025-4998

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

EPSS Score: 0.09% exploit probability (24.7th percentile)

Published: May 20, 2025

Last Updated: May 21, 2025

🔗 References

• https://github.com/CH13hh/tmp_store_cc/blob/main/H3C%20Magic%20R200G/1.md
• https://vuldb.com/?ctiid.309649
• https://vuldb.com/?id.309649
• https://vuldb.com/?submit.563583

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4998, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)

CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)

CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)