Cyber Resilience

CVE-2026-3943

Medium

Published: 11 March 2026

Published
11 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0077 73.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3943 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3943 is a command injection vulnerability (CWE-74, CWE-77) discovered in H3C ACG1000-AK230 devices up to version 20260227. The issue resides in an unknown component of the web interface endpoint /webui/?aaa_portal_auth_local_submit, where manipulation of the "suffix" argument enables arbitrary command execution. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.

Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing unauthorized commands on the device, potentially leading to data leakage, modification, or service disruption.

Advisories from VulDB and a related GitHub issue (leeyper/CVE #1) document the flaw, noting that the vendor is actively investigating and remediating it, though no specific patches are detailed in the available information. Security practitioners should monitor vendor updates via these sources.

The exploit has been publicly disclosed and could be weaponized, increasing the risk of real-world attacks on unpatched H3C ACG1000-AK230 devices.

EU & UK References

Vulnerability details

A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command injection. The attack can be launched remotely. The exploit has been made…

more

public and could be used. The vendor is investigating and remediating this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unauthenticated command injection in public web endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access and results in arbitrary OS command execution via T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15131Shared CWE-74, CWE-77
CVE-2026-1687Shared CWE-74, CWE-77
CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77
CVE-2025-1947Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2025-1946Shared CWE-74, CWE-77
CVE-2025-15132Shared CWE-74, CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, prioritization, and remediation of the specific command injection flaw in H3C ACG1000-AK230 up to version 20260227.

prevent

SI-10 implements input validation mechanisms at the vulnerable /webui/?aaa_portal_auth_local_submit endpoint to prevent suffix argument manipulation leading to command injection.

detectrespond

RA-5 employs vulnerability scanning to detect CVE-2026-3943 in deployed H3C devices and initiate risk-based remediation.

References