CVE-2025-2727
Published: 25 March 2025
Summary
CVE-2025-2727 is a high-severity Injection (CWE-74) vulnerability in H3C Magic NX30 (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 Flaw Remediation requires timely identification, reporting, and patching of the command injection vulnerability, aligning with advisories to upgrade the affected H3C router component.
SI-10 Information Input Validation directly prevents command injection by enforcing validation and error handling at the vulnerable /api/wizard/getNetworkStatus HTTP POST endpoint.
SC-7 Boundary Protection restricts adjacent network access to the router's management interface, blocking exploitation of the HTTP POST handler requiring local network proximity.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in HTTP endpoint on network device enables exploitation of remote service for code execution (T1210) and direct arbitrary OS command execution via Unix shell (T1059.004).
NVD Description
A vulnerability, which was classified as critical, was found in H3C Magic NX30 Pro up to V100R007. This affects an unknown part of the file /api/wizard/getNetworkStatus of the component HTTP POST Request Handler. The manipulation leads to command injection. Access…
more
to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2025-2727 is a critical command injection vulnerability affecting H3C Magic NX30 Pro routers up to version V100R007. The issue resides in an unknown part of the /api/wizard/getNetworkStatus endpoint within the HTTP POST Request Handler component. Successful exploitation allows arbitrary command execution, as classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection). The vulnerability carries a CVSS v3.1 base score of 8.0.
Exploitation requires adjacent network access (AV:A), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N). An attacker with local network proximity and minimal authentication can send a crafted HTTP POST request to the vulnerable endpoint, injecting and executing arbitrary operating system commands on the device. This grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories recommend upgrading the affected component to a patched version, as noted in the vulnerability description and linked H3C software download portal. Additional details are available via VulDB entries and a public GitHub disclosure containing the exploit.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)