CVE-2025-10942
published 2025-09-25CVE-2025-10942: A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList/EditMacList of the file /goform/aspForm. The manipulation of…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.73%
49.7th percentile
A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList/EditMacList of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h3c | magic_b3 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_kernel_5.4.91-3_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/goform/aspForm"; fast_pattern; http.request_body; content:"param|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.md#poc; reference:cve,2025-10942; classtype:web-application-attack; sid:2064918; rev:1; metadata:affected_product H3C, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_25, cve CVE_2025_10942, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)- →Target HTTP POST requests to the exact URI /goform/aspForm (URI length is exactly 15 bytes). Match on request body containing 'param=' (hex: param|3d|) followed by a value of 100 or more non-ampersand characters, indicating an oversized param value consistent with buffer overflow exploitation.
- →The exploit targets the AddMacList and EditMacList functions via the aspForm endpoint. Detection should focus on the 'param' POST body argument being manipulated with an abnormally long value.
- →Traffic is expected in plaintext (not TLS-encrypted); deploy detection at the network perimeter and internally. The exploit is publicly available.
- →The exploit is publicly available and remotely initiatable; treat any matching traffic as high-severity and prioritize alerting.
- ·The Snort/Suricata rule (ET sid:2064918) uses a PCRE match on the request body (/^[^&]{100,}(?:&|$)/R) anchored relative to the 'param=' content match. Ensure your IDS/IPS engine supports the /R (relative) PCRE flag for correct operation.
- ·The URI bsize:15 constraint means the rule only fires when the URI is exactly '/goform/aspForm' with no additional path components. Verify your HTTP normalisation settings do not append trailing slashes or query strings that would break this match.
- ·The vendor (H3C) did not respond to disclosure; no official patch is confirmed. Affected version is H3C Magic B3 up to 100R002. Treat all such devices as unpatched until vendor guidance is issued.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4h6c-jx8m-qmff: A vulnerability was identified in H3C Magic B3 up to 100R002
ghsa_unreviewed·2025-09-25
CVE-2025-10942 [HIGH] CWE-119 GHSA-4h6c-jx8m-qmff: A vulnerability was identified in H3C Magic B3 up to 100R002
A vulnerability was identified in H3C Magic B3 up to 100R002. This affects the function AddMacList of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Microsoft
In the Linux kernel before 5.5.8 get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field which might allow attackers to trigger kernel stack corruption via crafted system calls.
vendor_msrc·2020-03-10·CVSS 5.3
CVE-2020-10942 [MEDIUM] CWE-787 In the Linux kernel before 5.5.8 get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field which might allow attackers to trigger kernel stack corruption via crafted system calls.
In the Linux kernel before 5.5.8 get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field which might allow attackers to trigger kernel stack corruption via crafted system calls.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the C
Suricata
ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942)
suricata·2025-09-25·CVSS 7.4
CVE-2025-10942 [HIGH] ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942)
ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/goform/aspForm"; fast_pattern; http.request_body; content:"param|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.md#poc; reference:cve,2025-10942; classtype:web-application-attack; sid:2064918; rev:1; metadata:affected_product H3C, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_09_25, cve CVE_2025_10942, deployment Perimeter, deployment Internal, performance_i
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.mdhttps://github.com/lin-3-start/lin-cve/blob/main/H3C%2BMagic%2BB3/H3C%20routers%20Buffer%20overflow.md#pochttps://vuldb.com/?ctiid.325812https://vuldb.com/?id.325812https://vuldb.com/?submit.651813https://vuldb.com/?submit.684667
2025-09-25
Published