Cyber Resilience

CVE-2025-2728

High

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 56.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2728 is a high-severity Injection (CWE-74) vulnerability in H3C Magic NX30 (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 43.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-2728 is a critical command injection vulnerability (classified under CWE-74 and CWE-77) in H3C Magic NX30 Pro and Magic NX400 routers up to version V100R014. The issue resides in unknown code within the /api/wizard/getNetworkConf file, where manipulation enables command injection. Published on 2025-03-25, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires an attacker to be within the local network (adjacent access), with low attack complexity and low privileges such as a valid user account. No user interaction is needed, and successful command injection can lead to high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of the affected device.

Advisories, including those from VulDB and the H3C software download portal, recommend upgrading the affected component to mitigate the vulnerability. Additional details are available in referenced sources such as the GitHub repository at https://github.com/RK1Y8/cve_cve/blob/main/h3c.md and VulDB entries.

EU & UK References

Vulnerability details

A vulnerability has been found in H3C Magic NX30 Pro and Magic NX400 up to V100R014 and classified as critical. This vulnerability affects unknown code of the file /api/wizard/getNetworkConf. The manipulation leads to command injection. The attack needs to be…

more

approached within the local network. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

The command injection vulnerability (CWE-74/77) in the router's web API directly enables arbitrary OS command execution on the network device, mapping to abuse of built-in network device CLIs for command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9584Shared CWE-74, CWE-77
CVE-2026-0732Shared CWE-74, CWE-77
CVE-2026-2530Shared CWE-74, CWE-77
CVE-2026-1689Shared CWE-74, CWE-77
CVE-2026-6989Shared CWE-74, CWE-77
CVE-2026-3704Shared CWE-74, CWE-77
CVE-2026-1125Shared CWE-74, CWE-77
CVE-2026-2163Shared CWE-74, CWE-77
CVE-2026-2527Shared CWE-74, CWE-77
CVE-2026-2526Shared CWE-74, CWE-77

Affected Assets

H3C
Magic NX30
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor-recommended upgrades directly eliminates the command injection vulnerability in the affected H3C router firmware.

prevent

Information input validation directly prevents command injection by checking and sanitizing untrusted inputs to the vulnerable /api/wizard/getNetworkConf endpoint.

prevent

Least privilege limits the scope and impact of injected commands by ensuring the vulnerable API process operates with only necessary privileges.

References