CVE-2026-3943
Published: 11 March 2026
Summary
CVE-2026-3943 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in public web endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access and results in arbitrary OS command execution via T1059 (Command and Scripting Interpreter).
NVD Description
A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command injection. The attack can be launched remotely. The exploit has been made…
more
public and could be used. The vendor is investigating and remediating this issue.
Deeper analysisAI
CVE-2026-3943 is a command injection vulnerability (CWE-74, CWE-77) discovered in H3C ACG1000-AK230 devices up to version 20260227. The issue resides in an unknown component of the web interface endpoint /webui/?aaa_portal_auth_local_submit, where manipulation of the "suffix" argument enables arbitrary command execution. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing unauthorized commands on the device, potentially leading to data leakage, modification, or service disruption.
Advisories from VulDB and a related GitHub issue (leeyper/CVE #1) document the flaw, noting that the vendor is actively investigating and remediating it, though no specific patches are detailed in the available information. Security practitioners should monitor vendor updates via these sources.
The exploit has been publicly disclosed and could be weaponized, increasing the risk of real-world attacks on unpatched H3C ACG1000-AK230 devices.
Details
- CWE(s)