{"id":34304,"date":"2025-05-03T12:53:09","date_gmt":"2025-05-03T12:53:09","guid":{"rendered":""},"modified":"2025-05-14T05:21:00","modified_gmt":"2025-05-14T05:21:00","slug":"cve-2025-3539-command-injection-vulnerability-in-h3c-magic-devices","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-3539-command-injection-vulnerability-in-h3c-magic-devices\/","title":{"rendered":"CVE-2025-3539: Command Injection Vulnerability in H3C Magic Devices<\/strong>"},"content":{"rendered":"

Overview<\/strong><\/p>\n

A critical vulnerability, CVE-2025-3539, has recently been discovered in several products under the H3C Magic series. This vulnerability, which carries a high CVSS severity score of 8.0, affects the H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010, and Magic BE18000 up to version V100R014. Exploitation of this vulnerability could potentially lead to system compromise or data<\/a> leakage, making it a significant threat to businesses and individuals using these devices.
\nThe vulnerability lies in the function FCGI_CheckStringIfContainsSemicolon of the file<\/a> \/api\/wizard\/getBasicInfo, which is part of the HTTP POST Request Handler component. Notably, attackers can only exploit this vulnerability within a local<\/a> network. Nonetheless, due to its critical level of severity and the potential<\/a> impacts, it warrants urgent attention and immediate mitigation.<\/p>\n

Vulnerability Summary<\/strong><\/p>\n

CVE ID: CVE-2025-3539
\nSeverity: Critical (8.0)
\nAttack Vector: Local Network
\nPrivileges Required: Low
\nUser Interaction: None
\nImpact: System compromise<\/a> or data leakage<\/p>\n

Affected Products<\/strong><\/p>

\r\n

\r\n \r\n \"Ameeba\r\n <\/a>\r\n A new way to communicate\r\n <\/h2>\r\n\r\n

\r\n Ameeba Chat is built on encrypted identity, not personal profiles.\r\n <\/p>\r\n\r\n

\r\n Message, call, share files, and coordinate with identities kept separate.\r\n <\/p>\r\n\r\n