CVE-2025-61330 is a critical security vulnerability discovered in all Magic-branded network devices manufactured by H3C, a Chinese vendor. The root cause is the presence of a hard-coded weak password or no password at all for the root account stored in the /etc/shadow file within the device firmware. This flaw allows attackers to bypass authentication mechanisms and gain root-level privileges. Many of these devices have the Telnet service enabled by default or allow users to enable Telnet via management interfaces such as /debug.asp or /debug_telnet.asp. Telnet is an insecure protocol that transmits credentials in plaintext, further exacerbating the risk. Additionally, these devices support Virtual Server configurations that can expose internal device management interfaces to the public internet, enabling remote attackers to exploit the vulnerability without physical or local network access. Once exploited, attackers can fully control the device, potentially altering configurations, intercepting or redirecting network traffic, deploying malware, or using the device as a pivot point for further attacks. The vulnerability affects all versions of Magic-branded devices, though specific affected firmware versions are not detailed. No official patches or updates have been linked yet, and no known exploits are reported in the wild as of the publication date. The vulnerability was reserved on 2025-09-26 and published on 2025-10-16, with no CVSS score assigned yet.

For European organizations, this vulnerability poses a severe risk to network security and operational continuity. Organizations using H3C Magic-branded devices in their network infrastructure—such as ISPs, enterprises, government agencies, and critical infrastructure providers—may face unauthorized full device compromise. Attackers gaining root access can manipulate network traffic, disrupt services, exfiltrate sensitive data, or create persistent backdoors. The presence of Telnet enabled by default or easily enabled increases the attack surface, especially if devices are exposed to public networks via Virtual Server configurations. This could lead to widespread network outages, data breaches, and loss of trust. The impact is magnified in sectors with stringent regulatory requirements like GDPR, where data confidentiality and integrity are paramount. Additionally, compromised devices could be leveraged in broader cyber campaigns targeting European entities, affecting national security and economic stability.

Immediate mitigation steps include disabling the Telnet service on all affected devices to prevent remote unauthenticated access. Network administrators should audit device configurations to ensure Telnet is not enabled or accessible from untrusted networks. Changing any default or weak passwords on the root account is critical, although the hard-coded nature may limit this option until firmware updates are available. Network segmentation and firewall rules should be implemented to restrict access to device management interfaces, especially those exposed via Virtual Server configurations. Monitoring network traffic for unusual Telnet connections or root-level access attempts can help detect exploitation attempts. Organizations should engage with H3C or authorized vendors to obtain firmware updates or patches addressing this vulnerability as soon as they are released. Where possible, consider replacing affected devices with alternatives that do not have this vulnerability. Finally, incident response plans should be updated to handle potential exploitation scenarios involving these devices.