cbcvebase.
CVE-2024-32238
published 2024-04-22

CVE-2024-32238: H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.23%
98.8th percentile
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.

Detection & IOCsextracted from sources · hover to see the quote

urlGET /userLogin.asp HTTP/1.1
urlGET /userLogin.asp/../actionpolicy_status/../{{module_name}}.cfg HTTP/1.1
path/userLogin.asp
path/userLogin.asp/../actionpolicy_status/../<module_name>.cfg
otheradmpwd=
otherauxauthmode=
otherH3C-Miniware
  • Fingerprint vulnerable H3C ER8300G2-X devices via FOFA using the body string 'icg_helpScript.js'
  • Exploit requires two sequential HTTP requests: first GET /userLogin.asp to extract the module name via regex '([A-Za-z0-9-]+)系统管理', then GET /userLogin.asp/../actionpolicy_status/../<module_name>.cfg to retrieve the config file containing credentials
  • Successful exploitation is confirmed when the response has HTTP 200, Content-Type 'application/x-unknown', body contains both 'admpwd=' and 'auxauthmode=', and Server header contains 'H3C-Miniware'
  • The module name used in the path traversal .cfg request is extracted from the login page body using the regex pattern '([A-Za-z0-9-]+)系统管理'
  • ·The path traversal segment uses a dynamic module name extracted from the login page; the exact .cfg filename varies per device and must be resolved at runtime from the first HTTP response

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.