CVE-2025-44635: n/a
There are multiple unauthorized remote command execution vulnerabilities in the H3C ER2200G2, ERG2-450W, ERG2-1200W, ERG2-1350W, NR1200W series routers before ERG2AW-MNW100-R1117; H3C ER3100G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2, ER6300G2, ER8300G2, ER8300G2-X series routers before ERHMG2-MNW100-R1126; GR3200, GR5200, GR8300 and other series routers before MiniGR1B0V100R018L50; GR-1800AX before MiniGRW1B0V100R009L50; GR-3000AX before SWBRW1A0V100R007L50; and GR-5400AX before SWBRW1B0V100R009L50. Attackers can bypass authentication by including specially crafted text in the request URL or message header, and then inject arbitrary malicious commands into some fields related to ACL access control list and user group functions and execute to obtain the highest ROOT privileges of remote devices, thereby completely taking over the remote target devices.
AI Analysis
Technical Summary
CVE-2025-44635 is a critical remote command execution vulnerability affecting multiple models of H3C routers, including the ER2200G2, ERG2 series, NR1200W series, ER3100G2 through ER8300G2 series, and GR series routers, among others. The vulnerability exists in firmware versions prior to specified releases (e.g., ERG2AW-MNW100-R1117, ERHMG2-MNW100-R1126, MiniGR1B0V100R018L50, etc.). Attackers can exploit this flaw by sending specially crafted HTTP requests that include malicious text in the URL or message headers. This crafted input bypasses authentication mechanisms and allows injection of arbitrary commands into fields related to Access Control Lists (ACL) and user group management functions. Successful exploitation grants attackers root-level privileges on the affected devices, enabling full control over the routers remotely. This could allow attackers to manipulate network traffic, intercept sensitive data, disrupt network operations, or use the compromised devices as footholds for further attacks within the network. The vulnerability does not require prior authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make it a significant threat to organizations using these H3C router models.
Potential Impact
For European organizations, the impact of this vulnerability is substantial. Compromise of core network routers can lead to complete loss of confidentiality, integrity, and availability of network communications. Attackers with root access can intercept or redirect sensitive data, disrupt business operations by causing network outages, or launch further attacks such as lateral movement or data exfiltration. Critical sectors such as finance, telecommunications, government, and critical infrastructure that rely on these routers for secure and reliable connectivity are particularly at risk. The ability to bypass authentication and execute commands remotely means that attackers can compromise devices without insider access or user interaction, increasing the likelihood of successful attacks. The widespread use of H3C routers in enterprise and service provider environments across Europe amplifies the potential scale of impact.
Mitigation Recommendations
1. Immediate firmware upgrade: Organizations should prioritize updating affected H3C router models to the fixed firmware versions listed in the advisory (e.g., ERG2AW-MNW100-R1117 or later). 2. Network segmentation: Isolate affected routers from untrusted networks and restrict management interfaces to trusted administrative networks only. 3. Access control: Implement strict ACLs and firewall rules to limit access to router management interfaces, preferably allowing only specific IP addresses or VPN connections. 4. Monitoring and logging: Enable detailed logging on routers and network devices to detect unusual access patterns or command executions. 5. Incident response readiness: Prepare to isolate and remediate compromised devices quickly, including having backups of router configurations and a plan for rapid firmware reinstallation. 6. Vendor engagement: Maintain close communication with H3C for updates, patches, and guidance. 7. Disable unnecessary services: Turn off any unused management protocols or services on the routers to reduce attack surface. 8. Conduct penetration testing and vulnerability scanning focused on these devices to proactively identify exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Finland
CVE-2025-44635: n/a
Description
There are multiple unauthorized remote command execution vulnerabilities in the H3C ER2200G2, ERG2-450W, ERG2-1200W, ERG2-1350W, NR1200W series routers before ERG2AW-MNW100-R1117; H3C ER3100G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2, ER6300G2, ER8300G2, ER8300G2-X series routers before ERHMG2-MNW100-R1126; GR3200, GR5200, GR8300 and other series routers before MiniGR1B0V100R018L50; GR-1800AX before MiniGRW1B0V100R009L50; GR-3000AX before SWBRW1A0V100R007L50; and GR-5400AX before SWBRW1B0V100R009L50. Attackers can bypass authentication by including specially crafted text in the request URL or message header, and then inject arbitrary malicious commands into some fields related to ACL access control list and user group functions and execute to obtain the highest ROOT privileges of remote devices, thereby completely taking over the remote target devices.
AI-Powered Analysis
Technical Analysis
CVE-2025-44635 is a critical remote command execution vulnerability affecting multiple models of H3C routers, including the ER2200G2, ERG2 series, NR1200W series, ER3100G2 through ER8300G2 series, and GR series routers, among others. The vulnerability exists in firmware versions prior to specified releases (e.g., ERG2AW-MNW100-R1117, ERHMG2-MNW100-R1126, MiniGR1B0V100R018L50, etc.). Attackers can exploit this flaw by sending specially crafted HTTP requests that include malicious text in the URL or message headers. This crafted input bypasses authentication mechanisms and allows injection of arbitrary commands into fields related to Access Control Lists (ACL) and user group management functions. Successful exploitation grants attackers root-level privileges on the affected devices, enabling full control over the routers remotely. This could allow attackers to manipulate network traffic, intercept sensitive data, disrupt network operations, or use the compromised devices as footholds for further attacks within the network. The vulnerability does not require prior authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make it a significant threat to organizations using these H3C router models.
Potential Impact
For European organizations, the impact of this vulnerability is substantial. Compromise of core network routers can lead to complete loss of confidentiality, integrity, and availability of network communications. Attackers with root access can intercept or redirect sensitive data, disrupt business operations by causing network outages, or launch further attacks such as lateral movement or data exfiltration. Critical sectors such as finance, telecommunications, government, and critical infrastructure that rely on these routers for secure and reliable connectivity are particularly at risk. The ability to bypass authentication and execute commands remotely means that attackers can compromise devices without insider access or user interaction, increasing the likelihood of successful attacks. The widespread use of H3C routers in enterprise and service provider environments across Europe amplifies the potential scale of impact.
Mitigation Recommendations
1. Immediate firmware upgrade: Organizations should prioritize updating affected H3C router models to the fixed firmware versions listed in the advisory (e.g., ERG2AW-MNW100-R1117 or later). 2. Network segmentation: Isolate affected routers from untrusted networks and restrict management interfaces to trusted administrative networks only. 3. Access control: Implement strict ACLs and firewall rules to limit access to router management interfaces, preferably allowing only specific IP addresses or VPN connections. 4. Monitoring and logging: Enable detailed logging on routers and network devices to detect unusual access patterns or command executions. 5. Incident response readiness: Prepare to isolate and remediate compromised devices quickly, including having backups of router configurations and a plan for rapid firmware reinstallation. 6. Vendor engagement: Maintain close communication with H3C for updates, patches, and guidance. 7. Disable unnecessary services: Turn off any unused management protocols or services on the routers to reduce attack surface. 8. Conduct penetration testing and vulnerability scanning focused on these devices to proactively identify exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-22T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68568e83aded773421b5a926
Added to database: 6/21/2025, 10:50:43 AM
Last enriched: 6/21/2025, 12:36:37 PM
Last updated: 8/14/2025, 1:02:32 AM
Views: 21
Related Threats
CVE-2025-9039: CWE-277: Insecure Inherited Permissions, CWE-648: Incorrect Use of Privileged APIs in Amazon ECS
MediumCVE-2025-8967: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-54867: CWE-61: UNIX Symbolic Link (Symlink) Following in youki-dev youki
HighCVE-2025-8966: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8965: Unrestricted Upload in linlinjava litemall
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.