CVE-2026-3701
Published: 08 March 2026
Summary
CVE-2026-3701 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in H3C Magic B1 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow vulnerability in Edit_BasicSSID_5G by identifying, reporting, and correcting flaws through timely patching.
Prevents buffer overflow exploitation by validating and restricting the size and format of the 'param' argument in the /goform/aspForm function.
Protects against arbitrary code execution from the buffer overflow via memory protection mechanisms like DEP and stack canaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public web management interface (/goform/aspForm) directly enables remote exploitation of a public-facing application for arbitrary code execution.
NVD Description
A security vulnerability has been detected in H3C Magic B1 up to 100R004. Affected by this vulnerability is the function Edit_BasicSSID_5G of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed…
more
remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3701 is a buffer overflow vulnerability in H3C Magic B1 devices up to version 100R004. The issue affects the Edit_BasicSSID_5G function within the /goform/aspForm file, triggered by manipulation of the 'param' argument. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it was published on 2026-03-08.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It can be exploited remotely by low-privileged users (PR:L) with network access and no requirement for user interaction, potentially granting high impacts on confidentiality, integrity, and availability through arbitrary code execution.
Advisories from VulDB and a GitHub report detail the vulnerability and public exploit availability, but note that the vendor was contacted early without any response or patch release. No mitigations are specified in the provided references.
Details
- CWE(s)