cbcvebase.
CVE-2026-3943
published 2026-03-11

CVE-2026-3943: A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation…

PriorityP269high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
40.80%
98.5th percentile
A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor is investigating and remediating this issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
h3cacg1000-ak230

Detection & IOCsextracted from sources · hover to see the quote

url/webui/?aaa_portal_auth_local_submit
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS H3C aaa_portal_auth_local_submit suffix Parameter Command Injection Attempt (CVE-2026-3943)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webui/|3f|aaa_portal_auth_local_submit"; startswith; fast_pattern; content:"suffix|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/leeyper/CVE/issues/1; reference:cve,2026-3943; classtype:attempted-admin; sid:2068151; rev:1; metadata:affected_product H3C, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_11, cve CVE_2026_3943, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the `suffix` GET parameter in /webui/?aaa_portal_auth_local_submit via command injection characters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24).
  • Attack is delivered over plaintext HTTP using a GET request; monitor perimeter and internal HTTP traffic to H3C ACG1000-AK230 devices.
  • PCRE pattern for detection: match `suffix=` in URI followed by any injection metacharacter sequence not preceded by `&`, covering both raw and URL-encoded forms.
  • Public exploit PoC is available at github.com/leeyper/CVE/issues/1; treat exploitation attempts as high-confidence (confidence: High, severity: Major).
  • ·The Snort/Suricata rule (SID 2068151) is scoped to plaintext HTTP only; HTTPS-wrapped traffic to the same endpoint will NOT be detected by this rule.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.