Cyber Posture

CVE-2026-6563

High

Published: 19 April 2026

Published
19 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6563 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of the 'param' argument in SetAPWifiorLedInfoById to block crafted inputs causing buffer overflow.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation, such as patching the buffer overflow in H3C Magic B1 firmware up to 100R004.

SI-16 Memory Protection partial match
prevent

Implements memory protections like DEP and ASLR to mitigate exploitation of the buffer overflow for code execution or DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Buffer overflow in authenticated web form handler allows low-privilege remote attacker to achieve arbitrary code execution on the router, directly enabling exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been found in H3C Magic B1 up to 100R004. The affected element is the function SetAPWifiorLedInfoById of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. It is possible to initiate the attack…

more

remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-6563 is a buffer overflow vulnerability (CWE-119, CWE-120) in H3C Magic B1 routers up to version 100R004. The flaw affects the SetAPWifiorLedInfoById function in the /goform/aspForm file, where manipulation of the 'param' argument triggers the overflow. Published on 2026-04-19, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely by sending crafted requests, requiring low complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or denial of service on the affected device.

References, including a GitHub repository at https://github.com/K4ptor/H3C-routers-vulnerability/ disclosing the exploit and VulDB entries (e.g., https://vuldb.com/vuln/358200), indicate the issue is publicly exploitable. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are detailed in the available information.

Details

CWE(s)
CWE-119CWE-120

CVEs Like This One

CVE-2025-1587Shared CWE-119, CWE-120
CVE-2026-1109Shared CWE-119, CWE-120
CVE-2026-1108Shared CWE-119, CWE-120
CVE-2026-1110Shared CWE-119, CWE-120
CVE-2025-1372Shared CWE-119, CWE-120
CVE-2026-2980Shared CWE-119, CWE-120
CVE-2026-7750Shared CWE-119, CWE-120
CVE-2026-7288Shared CWE-119, CWE-120
CVE-2026-3698Shared CWE-119, CWE-120
CVE-2026-1686Shared CWE-119, CWE-120

References