H3C Magic B0 aspForm Edit_BasicSSID_5G buffer overflow
Description
A vulnerability was found in H3C Magic B0 up to 100R002. This affects the function Edit_BasicSSID_5G of the file /goform/aspForm. Performing a manipulation of the argument param results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
H3C Magic B0 router ≤100R002 suffers a buffer overflow in Edit_BasicSSID_5G via the `param` argument to /goform/aspForm, enabling remote DoS or possible RCE.
Vulnerability
The vulnerability resides in the Edit_BasicSSID_5G function of the /goform/aspForm endpoint on H3C Magic B0 routers running firmware version 100R002 or earlier [1]. The program copies the user-supplied param argument into a fixed-size buffer without performing boundary checks, resulting in a classic buffer overflow [1]. No authentication or special configuration is needed to reach the vulnerable code path; the endpoint is accessible to any unauthenticated attacker on the network [1].
Exploitation
An unauthenticated remote attacker can exploit the flaw by sending a crafted HTTP POST request to /goform/aspForm with an oversized param parameter [1]. The publicly released proof-of-concept shows a simple request that overflows the buffer [1]. No user interaction or elevated privileges are required, and the attack vector is over the network on the LAN interface (typically via the router's management IP) [1].
Impact
Successful exploitation causes a buffer overflow that can corrupt adjacent memory, leading to denial of service (router crash or reboot) [1]. Under certain conditions, the attacker may achieve remote code execution with the privileges of the web server process (often root on embedded routers), enabling full compromise of the device [1].
Mitigation
The vendor (H3C) was contacted but did not respond [1]; as of the publication date (2026-05-24), no official firmware fix or workaround has been released [1]. Users should consider isolating the router's management interface from untrusted networks, applying access controls, or replacing the device if it reaches end-of-life. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in the Edit_BasicSSID_5G handler allows user-controlled param data to overflow a fixed-size buffer."
Attack vector
An unauthenticated attacker sends a crafted HTTP POST request to `/goform/aspForm` with `CMD=Edit_BasicSSID_5G` and an overly long `param` value [ref_id=1]. The router's web server processes the request without checking the input length, overflowing the fixed-size buffer [ref_id=1]. This can cause a denial of service (web management crash, device reboot) and, under certain conditions, may enable remote code execution [ref_id=1].
Affected code
The vulnerability resides in the `Edit_BasicSSID_5G` handler within the `/goform/aspForm` endpoint of the H3C Magic B0 router firmware (version ≤ 100R002) [ref_id=1]. The `param` argument is copied into a fixed-size buffer without length validation, causing a classic buffer overflow [ref_id=1].
What the fix does
No official patch has been released by the vendor; the advisory recommends validating all user input lengths before processing, ensuring consistency between input validation and buffer sizes, replacing unsafe functions (e.g., `strcpy`, `sprintf`) with safer alternatives such as `snprintf`, adding strict boundary checks in the `Edit_BasicSSID_5G` logic, and enabling compiler-level protections like stack canaries and FORTIFY_SOURCE [ref_id=1].
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on port 80/443).
- authNo authentication is required; the PoC request does not include valid session credentials.
- inputThe attacker supplies an overly long 'param' value in the POST body.
Reproduction
Send the following HTTP POST request to the target router (replace `192.168.124.1` with the router's IP):
``` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Type: application/x-www-form-urlencoded Content-Length: 239
CMD=Edit_BasicSSID_5G¶m=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;bb ```
The overly long `param` value triggers the buffer overflow in the `Edit_BasicSSID_5G` handler, causing abnormal behavior such as a web service crash or device reboot [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/alc9700jmo/CVE/issues/25mitreexploitissue-tracking
- vuldb.com/submit/813477mitrethird-party-advisory
- vuldb.com/vuln/365374mitrevdb-entrytechnical-description
- vuldb.com/vuln/365374/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.