CVE-2025-3539

Severity CVSS v4.0:

HIGH

Type:

CWE-74 Injection

Publication date:

13/04/2025

Last modified:

15/04/2025

Description

A vulnerability classified as critical has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getBasicInfo of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.

Impact

Vector 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 8.60 HIGH
Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0

8.60

Severity 4.0

HIGH

Vector 3.x

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.00 HIGH
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

8.00

Severity 3.x

HIGH

Vector 2.0

AV:A/AC:L/Au:S/C:C/I:C/A:C CVSS v2.0 Severity and Metrics:

Base Score: 7.70 HIGH
Vector: AV:A/AC:L/Au:S/C:C/I:C/A:C

Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Authentication (Au): Single
Confidentiality (C): Complete
Integrity (I): Complete
Availability (A): Complete

Base Score 2.0

7.70

Severity 2.0

HIGH

CVE-2025-3539

Description

Impact

References to Advisories, Solutions, and Tools