CVE-2026-3943
Published: 11 March 2026
Summary
CVE-2026-3943 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3943 is a command injection vulnerability (CWE-74, CWE-77) discovered in H3C ACG1000-AK230 devices up to version 20260227. The issue resides in an unknown component of the web interface endpoint /webui/?aaa_portal_auth_local_submit, where manipulation of the "suffix" argument enables arbitrary command execution. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
Remote attackers require no authentication, privileges, or user interaction to exploit this vulnerability over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing unauthorized commands on the device, potentially leading to data leakage, modification, or service disruption.
Advisories from VulDB and a related GitHub issue (leeyper/CVE #1) document the flaw, noting that the vendor is actively investigating and remediating it, though no specific patches are detailed in the available information. Security practitioners should monitor vendor updates via these sources.
The exploit has been publicly disclosed and could be weaponized, increasing the risk of real-world attacks on unpatched H3C ACG1000-AK230 devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11145
Vulnerability details
A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command injection. The attack can be launched remotely. The exploit has been made…
more
public and could be used. The vendor is investigating and remediating this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in public web endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access and results in arbitrary OS command execution via T1059 (Command and Scripting Interpreter).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, prioritization, and remediation of the specific command injection flaw in H3C ACG1000-AK230 up to version 20260227.
SI-10 implements input validation mechanisms at the vulnerable /webui/?aaa_portal_auth_local_submit endpoint to prevent suffix argument manipulation leading to command injection.
RA-5 employs vulnerability scanning to detect CVE-2026-3943 in deployed H3C devices and initiate risk-based remediation.