HIGH 8.8

CVE-2026-10259: H3C Magic B0 Stack Buffer Overflow Remote Code Execution

H3C Magic B0 devices running firmware up to version 100R002 contain a remotely exploitable vulnerability in their web interface. An authenticated attacker can send a specially crafted request to the SetMobileAPInfoById function that causes a stack-based buffer overflow, potentially allowing them to execute arbitrary code on the affected device. Public exploit details are already available, elevating the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10259 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) in H3C Magic B0 firmware up to 100R002. The vulnerability exists in the SetMobileAPInfoById function within /goform/aspForm, where insufficient input validation on the 'param' argument allows an authenticated remote attacker to overflow a stack buffer. The CVSS 3.1 score of 8.8 (HIGH) reflects network accessibility, low complexity, and the confidentiality, integrity, and availability impact achievable upon successful exploitation. The attack requires valid credentials (CVSS PR:L) but no user interaction.

Business impact

If exploited, this vulnerability enables complete compromise of affected H3C Magic B0 devices. An attacker with valid credentials—whether obtained through credential theft, default passwords, or social engineering—can achieve remote code execution, potentially leading to network reconnaissance, lateral movement, data exfiltration, or persistent device compromise. For organizations relying on these access points for network connectivity, such compromise poses significant operational and security risks.

Affected systems

H3C Magic B0 access points and wireless controllers running firmware versions up to and including 100R002 are affected. Organizations should verify their deployed H3C Magic B0 device inventory and current firmware versions to determine exposure scope.

Exploitability

This vulnerability is highly exploitable in practice. It requires only low-complexity, network-based access paired with valid authentication credentials. Critically, public exploit code and detailed disclosure are already available, significantly lowering the barrier to weaponization. Attackers with compromised user credentials or access to default credentials can exploit this without specialized knowledge. The lack of user interaction requirement means automated, reliable exploitation is feasible.

Remediation

Organizations must prioritize firmware updates for all H3C Magic B0 devices. Verify availability of patched firmware versions beyond 100R002 from H3C, and apply updates through your change management process. Pending patch availability, implement network-level compensating controls: restrict administrative access to Magic B0 devices to authorized management networks, enforce strong authentication (disable default credentials, enforce MFA where supported), and monitor for suspicious administrative activity.

Patch guidance

Obtain the latest H3C Magic B0 firmware from H3C's support portal and verify the version number exceeds 100R002 before deployment. H3C was contacted early regarding this disclosure but provided no public patch communication, so direct vendor contact may be necessary to confirm patch availability and obtain secure download links. Test patches in a non-production environment first, and schedule updates during maintenance windows to minimize service interruption.

Detection guidance

Monitor access logs for /goform/aspForm requests, particularly those targeting SetMobileAPInfoById with unusual 'param' argument values or abnormal lengths. Detect failed or successful authentication attempts to Magic B0 administrative interfaces, especially from unfamiliar source IPs or after hours. Watch for unexpected process execution or system restart events on affected devices following HTTP requests. Intrusion detection systems should flag oversized or malformed POST requests to /goform/aspForm endpoints. Review device system logs for stack overflow exceptions or memory access violations.

Why prioritize this

This vulnerability merits immediate attention due to the combination of high CVSS score (8.8), public exploit availability, authenticated-but-low-friction access requirements, and complete system compromise potential. The vendor's apparent non-responsiveness to early disclosure increases organizational pressure to patch independently. Any organization with Magic B0 devices in production should treat this as critical.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) is driven by: network-based attack vector (AV:N), low attack complexity (AC:L), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The authentication requirement (PR:L) prevents a perfect score but does not materially reduce risk given the prevalence of credential compromise. The public exploit availability and vendor non-responsiveness further elevate practical risk beyond the base score.

Frequently asked questions

Do we need valid credentials to exploit this?

Yes, the vulnerability requires authenticated access (CVSS PR:L). However, this is not a significant barrier in practice: attackers can obtain credentials through phishing, credential stuffing, default password use, or lateral movement. The network accessibility means credentials obtained from any source can be weaponized remotely.

Is there a patch available?

The provided data does not specify a patched firmware version. H3C was contacted early during responsible disclosure but did not respond. Contact H3C support directly to confirm patch availability and obtain secure firmware downloads beyond version 100R002.

What firmware versions are affected?

All H3C Magic B0 devices running firmware up to and including version 100R002 are vulnerable. Verify your device inventory immediately and confirm current firmware versions via device management interfaces.

Can this be exploited without network access?

No, the vulnerability is remotely exploitable but requires network access to the affected device's web interface (/goform/aspForm). Restrict management access to trusted networks and enforce strong access controls to limit exposure.

This analysis is based on available vulnerability data as of June 2026. CVSS scoring reflects vendor-supplied vectors and should be validated against your specific operational environment. Patch availability and remediation timelines are subject to vendor discretion; contact H3C directly for current patch status. SEC.co makes no warranty regarding exploit reliability, vendor responsiveness, or patch effectiveness. Organizations should conduct their own risk assessment and testing before deploying patches or compensating controls. This intelligence is provided for informational purposes to support security decision-making and does not constitute legal advice, guarantee of protection, or endorsement of any specific remediation approach. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).