CVE-2025-2725
Published: 25 March 2025
Summary
CVE-2025-2725 is a high-severity Injection (CWE-74) vulnerability in H3C Magic NX15 (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the command injection vulnerability by requiring timely firmware upgrades for the affected H3C routers as advised in the vendor recommendation.
Requires validation of HTTP POST inputs to the /api/login/auth endpoint to block malicious command injection payloads.
Monitors and controls network communications to restrict adjacent network access (AV:A) required to reach the vulnerable HTTP POST request handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in HTTP POST handler on router enables remote service exploitation (T1210) for arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this vulnerability is an unknown functionality of the file /api/login/auth of the component HTTP…
more
POST Request Handler. The manipulation leads to command injection. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2025-2725 is a critical command injection vulnerability (CVSS 8.0; CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting an unknown functionality in the /api/login/auth file of the HTTP POST Request Handler component. The vulnerability impacts H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 routers running versions up to V100R014. It is classified under CWE-74 and CWE-77.
Exploitation requires an attacker positioned within the local network (adjacent network access), possessing low privileges (PR:L), and involves low-complexity manipulation of HTTP POST requests with no user interaction required. Successful attacks enable arbitrary command injection, resulting in high impacts to confidentiality, integrity, and availability.
Advisories recommend upgrading the affected component to a patched version. Relevant resources include the H3C software download portal at https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/, VulDB entries detailing the issue (https://vuldb.com/?ctiid.300745, https://vuldb.com/?id.300745, https://vuldb.com/?submit.520390), and a GitHub repository with vulnerability information (https://github.com/ZIKH26/CVE-information/blob/master/H3C/Vulnerability%20Information_1.md).
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)