cbcvebase.
CVE-2023-33629
published 2023-05-31

CVE-2023-33629: H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.

PriorityP273high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.35%
90.0th percentile
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.

Affected

1 ranges
VendorProductVersion rangeFixed in
h3cmagic_r300-2100m_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/aspForm
otherapp="H3C-Ent-Router"
  • Two-stage exploitation: POST to /goform/aspForm triggers command execution writing output to a randomly named file under /www/; a subsequent GET to that filename returning HTTP 200 with 'www' and 'www_multi' in the body confirms RCE.
  • FOFA fingerprint 'app="H3C-Ent-Router"' (case-insensitive) can be used to identify exposed H3C Magic R300 devices on the internet for proactive scanning.
  • ·Exploitation requires authenticated access with high privileges (PR:H per CVSS); unauthenticated exploitation is not indicated by available sources.
  • ·The vulnerability is confirmed only for firmware version R300-2100MV100R004; other firmware versions are not confirmed vulnerable.
  • ·The Nuclei template uses a randomly generated lowercase 7-character alpha filename ({{to_lower(rand_text_alpha(7))}}) as the drop path under /www/; detection rules based on static filenames will not catch this pattern — monitor for any unexpected file creation under /www/ instead.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.