CVE-2025-3545 in Magic NX15
Summary
by MITRE • 04/14/2025
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been classified as critical. Affected is the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/setLanguage of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2025
This critical vulnerability exists in H3C's Magic series network devices including NX15, NX30 Pro, NX400, R3010, and BE18000 models running firmware versions up to V100R014. The flaw resides in the HTTP POST Request Handler component where the FCGI_CheckStringIfContainsSemicolon function fails to properly sanitize user input. This function is part of the /api/wizard/setLanguage endpoint which processes language configuration requests. The vulnerability allows for command injection when malicious input containing semicolon characters is processed, bypassing the intended input validation mechanisms. The security flaw represents a significant risk as it enables attackers to execute arbitrary commands on the affected devices with the privileges of the web server process.
The technical implementation of this vulnerability stems from improper input validation and sanitization within the FastCGI processing framework used by the web server component. When the FCGI_CheckStringIfContainsSemicolon function encounters user-supplied data containing semicolon characters, it fails to properly escape or filter these special characters that are commonly used in command injection attacks. This weakness directly aligns with CWE-77 which describes improper neutralization of special elements used in commands, and CWE-94 which covers improper control of generation of code. The vulnerability operates at the application layer and requires local network access, making it exploitable through authenticated attack vectors within the device's network segment.
The operational impact of this vulnerability is severe as it provides attackers with complete command execution capabilities on affected network devices. Once exploited, an attacker could gain full administrative control over the device, potentially leading to network disruption, data exfiltration, or use as a pivot point for further attacks within the network infrastructure. The vulnerability affects enterprise-grade network equipment that typically serves as critical infrastructure components, making the potential damage substantial. Attackers could leverage this flaw to establish persistent backdoors, modify network configurations, or redirect traffic through malicious routing. The fact that the exploit has been publicly disclosed increases the likelihood of active exploitation in real-world scenarios, particularly in environments where network segmentation is insufficient.
Organizations affected by this vulnerability should prioritize immediate firmware upgrades to the latest available versions that contain patches for this specific issue. The recommended mitigation strategy involves upgrading all affected H3C Magic series devices to firmware versions that address the input validation flaw in the HTTP POST Request Handler component. Network administrators should also implement additional security controls such as restricting local network access to these devices, implementing network segmentation, and monitoring for unusual traffic patterns that might indicate exploitation attempts. From an ATT&CK perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1021.001 (Remote Services: Remote Desktop Protocol) as it enables command execution capabilities. Additionally, organizations should consider implementing web application firewalls and input validation controls to prevent similar vulnerabilities from occurring in other applications within their network infrastructure.