CVE-2025-2729
Published: 25 March 2025
Summary
CVE-2025-2729 is a high-severity Injection (CWE-74) vulnerability in H3C Magic NX15 (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the command injection vulnerability by requiring timely remediation through vendor-provided patches for the affected H3C Magic devices.
Prevents command injection attacks by validating and sanitizing HTTP POST inputs to the vulnerable /api/wizard/networkSetup endpoint.
Enables detection of command injection exploitation through monitoring for anomalous command executions or system behavior on the affected devices.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in HTTP API endpoint on network device enables exploitation of remote services (T1210) and arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects some unknown processing of the file /api/wizard/networkSetup of the component HTTP POST…
more
Request Handler. The manipulation leads to command injection. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2025-2729 is a critical command injection vulnerability (CVSS 3.1 score of 8.0, vector AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting the HTTP POST Request Handler component in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 devices up to version V100R014. The issue arises in the processing of the /api/wizard/networkSetup file or endpoint, linked to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Command Injection). Published on 2025-03-25, it enables manipulation leading to arbitrary command execution.
Exploitation is limited to the local network (AV:A), requiring low attack complexity (AC:L) and low privileges (PR:L), with no user interaction (UI:N). An attacker with adjacent network access and minimal authentication can inject commands via HTTP POST requests to the vulnerable endpoint, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories, including those from VulDB and a GitHub repository documenting the issue, recommend upgrading the affected component to a patched version. The H3C software download portal provides relevant updates.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)