CVE-2025-2731

High

Published: 25 March 2025

Published

25 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2731 is a high-severity Injection (CWE-74) vulnerability in H3C Magic NX15 (inferred from references). Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely firmware upgrades to patch the command injection vulnerability in the affected H3C router models.

SI-10 Information Input Validation good match

prevent

Prevents command injection by enforcing input validation and sanitization mechanisms on HTTP POST requests to the vulnerable /api/wizard/getDualbandSync endpoint.

SC-7 Boundary Protection partial match

prevent

Limits exploitation from the adjacent local network by monitoring and controlling access to the vulnerable HTTP management API endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The CVE describes a command injection vulnerability in a router's HTTP API endpoint, allowing arbitrary command execution via crafted POST requests from an adjacent network. This directly maps to exploitation of remote services (T1210) and command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/wizard/getDualbandSync of…

the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.

Deeper analysisAI

CVE-2025-2731 is a critical command injection vulnerability (CVSS 8.0, CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) discovered in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 routers up to version V100R014. The issue resides in an unknown functionality of the /api/wizard/getDualbandSync endpoint within the HTTP POST Request Handler component and is linked to CWE-74 and CWE-77. Published on 2025-03-25, it enables manipulation via crafted POST requests.

An attacker on the adjacent local network with low privileges can exploit this vulnerability by sending a malicious HTTP POST request to the affected endpoint, requiring low complexity and no user interaction. Successful exploitation leads to arbitrary command injection, granting high-impact compromise of confidentiality, integrity, and availability on the targeted device.

Advisories recommend upgrading the affected component to a patched version as the primary mitigation. Details are available via VulDB entries and the H3C software download portal for relevant firmware updates.

The exploit has been publicly disclosed and may be actively used by attackers.

Details

CWE(s): CWE-74 CWE-77

Affected Products

H3C

Magic NX15

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-2725Shared CWE-74, CWE-77

CVE-2025-2727Shared CWE-74, CWE-77

CVE-2026-7067Shared CWE-74, CWE-77

CVE-2025-2729Shared CWE-74, CWE-77

CVE-2025-14108Shared CWE-74, CWE-77

CVE-2025-14106Shared CWE-74, CWE-77

CVE-2025-7836Shared CWE-74, CWE-77

CVE-2025-15139Shared CWE-74, CWE-77

CVE-2025-14107Shared CWE-74, CWE-77

CVE-2026-20147Shared CWE-77

References

https://github.com/Qwen11/CVE_store/blob/main/H3C/vulnerability%20Information_3.md
cna@vuldb.com
https://vuldb.com/?ctiid.300751
cna@vuldb.com
https://vuldb.com/?id.300751
cna@vuldb.com
https://vuldb.com/?submit.520497
cna@vuldb.com
https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/
cna@vuldb.com
https://zhiliao.h3c.com/theme/details/229784
cna@vuldb.com
https://github.com/Qwen11/CVE_store/blob/main/H3C/vulnerability%20Information_3.md
134c704f-9b21-4f2e-91b3-4a467353bcc0