Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight

News
By published

Several H3C routers have critical vulnerabilities

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • Several H3C Magic router models have critical vulnerabilities
  • The vulnerabilities allow for privilege escalation and command injection
  • No patch has so far been issued for the vulnerabilities

Several H3C Magic router models are vulnerable to command injection attacks that can be launched remotely, according to several new critical CVE listings on the NIST National Vulnerability Database.

A total of 8 vulnerabilities have been listed across 5 different models of H3C Magic router, with all currently scoring an 8.8 on the severity score.

The affected models in question are the H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000.

Latest Videos From

Routers vulnerable to command injection

The vulnerabilities are tracked as CVE-2025-2725-through-2732 and allow an attacker to send a specially crafted POST packet or request without authorization to vulnerable APIs in order to obtain the highest privileges available on the device.

The POST packets and requests are designed to trigger specific handler functions within the API files, allowing an attacker to use the backtick (`) - which isn’t filtered as a dangerous character - for command injection with the highest privileges.

Several of the vulnerable routes contain functions to check for dangerous characters such as semicolons, but it appears that the backtick was not included as a dangerous character allowing the attack to bypass these functions.

For the H3C Magic NX15, CVE-2025-2725 allows an attacker to use the body of a POST request to trigger the FCGI_UserLogin function, starting a cascade of functions that results in the attacker being able to remotely execute commands, again using the unfiltered backtick. The attacker can then log in as the root user without using a password and access a root shell.

NVD contacted H3C prior to listing the CVE disclosures, but received no response. Currently, no patch has been issued to address the vulnerabilities. The full list of vulnerabilities can be found here.

You might also like

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.