Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight

News
By published

Several H3C routers have critical vulnerabilities

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
(Image credit: Shutterstock)
  • Several H3C Magic router models have critical vulnerabilities
  • The vulnerabilities allow for privilege escalation and command injection
  • No patch has so far been issued for the vulnerabilities

Several H3C Magic router models are vulnerable to command injection attacks that can be launched remotely, according to several new critical CVE listings on the NIST National Vulnerability Database.

A total of 8 vulnerabilities have been listed across 5 different models of H3C Magic router, with all currently scoring an 8.8 on the severity score.

The affected models in question are the H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000.

Routers vulnerable to command injection

The vulnerabilities are tracked as CVE-2025-2725-through-2732 and allow an attacker to send a specially crafted POST packet or request without authorization to vulnerable APIs in order to obtain the highest privileges available on the device.

The POST packets and requests are designed to trigger specific handler functions within the API files, allowing an attacker to use the backtick (`) - which isn’t filtered as a dangerous character - for command injection with the highest privileges.

Several of the vulnerable routes contain functions to check for dangerous characters such as semicolons, but it appears that the backtick was not included as a dangerous character allowing the attack to bypass these functions.

For the H3C Magic NX15, CVE-2025-2725 allows an attacker to use the body of a POST request to trigger the FCGI_UserLogin function, starting a cascade of functions that results in the attacker being able to remotely execute commands, again using the unfiltered backtick. The attacker can then log in as the root user without using a password and access a root shell.

NVD contacted H3C prior to listing the CVE disclosures, but received no response. Currently, no patch has been issued to address the vulnerabilities. The full list of vulnerabilities can be found here.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
China
Juniper patches security flaws which could have let hackers take over your router
China
Chinese hackers targeting Juniper Networks routers, so patch now
Cyber-security
Juniper Session Smart routers have a critical flaw, so patch now
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
Security
Zyxel says it won’t patch security flaws in its old routers
Latest in Security
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Latest in News
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
The Meta Quest 3 and controllers on their charging station which is itself on a wooden desk next to a lamp
Forget Android XR, I've got my eyes on Vivo's new Meta Quest 3 competitor as it could be the most important VR headset of 2025
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
More about security
Data leak

A major Keenetic router data leak could put a million households at risk
Code Skull

This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An Nvidia RTX 5080 vs RTX 4080 Super against a two-tone background

Nvidia RTX 5080 vs RTX 4080 Super: should you upgrade to the latest Blackwell GPU?
See more latest
Most Popular
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Wednesday, March 26 (game #388)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Wednesday, March 26 (game #654)
Nvidia app
Tired of manually optimizing your games? Nvidia's new G-Assist could save you time
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
An iPhone running iOS 18 on a purple and blue background
iOS 18.4 could launch soon with a major upgrade to your iPhone’s notifications
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems