cbcvebase.
CVE-2025-10942
published 2025-09-25

CVE-2025-10942: A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList/EditMacList of the file /goform/aspForm. The manipulation of…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.73%
49.7th percentile
A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList/EditMacList of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

4 ranges
VendorProductVersion rangeFixed in
h3cmagic_b3
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_kernel_5.4.91-3_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

path/goform/aspForm
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/goform/aspForm"; fast_pattern; http.request_body; content:"param|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.md#poc; reference:cve,2025-10942; classtype:web-application-attack; sid:2064918; rev:1; metadata:affected_product H3C, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_25, cve CVE_2025_10942, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Target HTTP POST requests to the exact URI /goform/aspForm (URI length is exactly 15 bytes). Match on request body containing 'param=' (hex: param|3d|) followed by a value of 100 or more non-ampersand characters, indicating an oversized param value consistent with buffer overflow exploitation.
  • The exploit targets the AddMacList and EditMacList functions via the aspForm endpoint. Detection should focus on the 'param' POST body argument being manipulated with an abnormally long value.
  • Traffic is expected in plaintext (not TLS-encrypted); deploy detection at the network perimeter and internally. The exploit is publicly available.
  • The exploit is publicly available and remotely initiatable; treat any matching traffic as high-severity and prioritize alerting.
  • ·The Snort/Suricata rule (ET sid:2064918) uses a PCRE match on the request body (/^[^&]{100,}(?:&|$)/R) anchored relative to the 'param=' content match. Ensure your IDS/IPS engine supports the /R (relative) PCRE flag for correct operation.
  • ·The URI bsize:15 constraint means the rule only fires when the URI is exactly '/goform/aspForm' with no additional path components. Verify your HTTP normalisation settings do not append trailing slashes or query strings that would break this match.
  • ·The vendor (H3C) did not respond to disclosure; no official patch is confirmed. Affected version is H3C Magic B3 up to 100R002. Treat all such devices as unpatched until vendor guidance is issued.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.