Cyber Resilience

CVE-2025-44635

CriticalRCE

Published: 20 June 2025

Published
20 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0148 81.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44635 is a critical-severity OS Command Injection (CWE-78) vulnerability in H3C ER2200G2 (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-44635 is a set of OS command injection flaws (CWE-78) affecting multiple H3C router product lines, including the ER2200G2, ERG2-450W, ERG2-1200W, ERG2-1350W, NR1200W series before ERG2AW-MNW100-R1117; the ER3100G2 through ER8300G2-X series before ERHMG2-MNW100-R1126; the GR3200, GR5200, GR8300 and related models before MiniGR1B0V100R018L50; and the GR-1800AX, GR-3000AX, and GR-5400AX models before their respective listed firmware revisions. The vulnerabilities reside in the ACL access-control-list and user-group handling functions and carry a CVSS 3.1 base score of 9.8.

Unauthenticated remote attackers can exploit the issues by supplying specially crafted strings in the request URL or HTTP headers to bypass authentication, then inject and execute arbitrary operating-system commands with root privileges, resulting in full device takeover.

Vendor advisories at the referenced H3C security notice and support forum pages direct administrators to upgrade the listed router families to the fixed firmware releases ERG2AW-MNW100-R1117, ERHMG2-MNW100-R1126, MiniGR1B0V100R018L50, MiniGRW1B0V100R009L50, SWBRW1A0V100R007L50, and SWBRW1B0V100R009L50 respectively. The associated EPSS scores remain low (current 0.0148, peak 0.0192) with no material increase after disclosure.

EU & UK References

Vulnerability details

There are multiple unauthorized remote command execution vulnerabilities in the H3C ER2200G2, ERG2-450W, ERG2-1200W, ERG2-1350W, NR1200W series routers before ERG2AW-MNW100-R1117; H3C ER3100G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2, ER6300G2, ER8300G2, ER8300G2-X series routers before ERHMG2-MNW100-R1126; GR3200, GR5200, GR8300 and other series routers…

more

before MiniGR1B0V100R018L50; GR-1800AX before MiniGRW1B0V100R009L50; GR-3000AX before SWBRW1A0V100R007L50; and GR-5400AX before SWBRW1B0V100R009L50. Attackers can bypass authentication by including specially crafted text in the request URL or message header, and then inject arbitrary malicious commands into some fields related to ACL access control list and user group functions and execute to obtain the highest ROOT privileges of remote devices, thereby completely taking over the remote target devices.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

H3C
ER2200G2
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References