CVE-2023-33629
published 2023-05-31CVE-2023-33629: H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
PriorityP273high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.35%
90.0th percentile
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h3c | magic_r300-2100m_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherapp="H3C-Ent-Router"
- →Two-stage exploitation: POST to /goform/aspForm triggers command execution writing output to a randomly named file under /www/; a subsequent GET to that filename returning HTTP 200 with 'www' and 'www_multi' in the body confirms RCE.
- →FOFA fingerprint 'app="H3C-Ent-Router"' (case-insensitive) can be used to identify exposed H3C Magic R300 devices on the internet for proactive scanning.
- ·Exploitation requires authenticated access with high privileges (PR:H per CVSS); unauthenticated exploitation is not indicated by available sources.
- ·The vulnerability is confirmed only for firmware version R300-2100MV100R004; other firmware versions are not confirmed vulnerable. ↗
- ·The Nuclei template uses a randomly generated lowercase 7-character alpha filename ({{to_lower(rand_text_alpha(7))}}) as the drop path under /www/; detection rules based on static filenames will not catch this pattern — monitor for any unexpected file creation under /www/ instead.
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f768-3jpm-9pgw: H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm
ghsa_unreviewed·2023-05-31
CVE-2023-33629 [HIGH] CWE-787 GHSA-f768-3jpm-9pgw: H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
VulnCheck
h3c magic_r300-2100m_firmware Out-of-bounds Write
vulncheck·2023·CVSS 7.2
CVE-2023-33629 [HIGH] h3c magic_r300-2100m_firmware Out-of-bounds Write
h3c magic_r300-2100m_firmware Out-of-bounds Write
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
Affected: h3c magic_r300-2100m_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2023-33629
No detection rules found.
Nuclei
H3C Magic R300-2100M - Remote Code Execution
nuclei·CVSS 7.2
CVE-2023-33629 [HIGH] H3C Magic R300-2100M - Remote Code Execution
H3C Magic R300-2100M - Remote Code Execution
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
Template:
id: CVE-2023-33629
info:
name: H3C Magic R300-2100M - Remote Code Execution
author: DhiyaneshDK
severity: high
description: |
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
impact: |
Authenticated high-privilege attackers can exploit stack overflow through command injection in the DelL2tpLNSList parameter to execute arbitrary commands on the H3C Magic R300 router with root privileges.
remediation: |
Update H3C Magic R300-2100M firmware to a version newer than R300-2100MV100R004 that properly validates input
No writeups or analysis indexed.
2023-05-31
Published
Exploited in the wild