CVE-2025-60262

CriticalPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0032 54.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60262 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in H3C Mc102-G Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

CM-6 directly mitigates the vsftpd misconfiguration by requiring secure configuration settings that prevent anonymous FTP uploads from creating root-owned files.

CM-7 Least Functionality good match

prevent

CM-7 enforces least functionality by prohibiting or restricting unnecessary anonymous FTP services on affected H3C devices.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 limits permitted actions without identification or authentication, preventing anonymous FTP uploads that gain root ownership and enable remote control.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1574.010 Services File Permissions Weakness Stealth

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to upload files via public-facing FTP service (T1190, T1210) that gain root ownership due to incorrect default permissions (T1044), enabling root-level arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and…

remote attackers could gain root-level control over the devices.

Deeper analysisAI

CVE-2025-60262 is a misconfiguration vulnerability in the vsftpd FTP service on H3C M102G HM1A0V200R010 wireless controllers and BA1500L SWBA1A0V100R006 wireless access points. Published on 2026-01-06, it stems from CWE-276 (Incorrect Default Permissions), where files uploaded anonymously via FTP are automatically owned by the root user. This flaw has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Remote attackers can exploit this vulnerability without authentication by connecting to the FTP service and uploading malicious files anonymously. Since these files gain root ownership, attackers can achieve full root-level control over the affected devices, potentially enabling arbitrary code execution, persistence, or further network compromise.

Mitigation details are outlined in advisories referenced at https://www.notion.so/23e54a1113e780d686fbe1624ee0465d and https://www.notion.so/Misconfiguration-in-H3C-23e54a1113e780d686fbe1624ee0465d.