CVE-2025-63258
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
A remote command execution (RCE) vulnerability was found in H3C ERG3/ERG5, XiaoBei routers, cloud gateways, and wireless access points. Attackers can inject crafted commands via the sessionid parameter.
Risk Assessment
An attacker can take full control of the device, compromising the confidentiality, integrity, and availability of the organization's network.
Recommendation
Immediately update the firmware to a patched version or apply temporary WAF rules to block manipulation of the sessionid parameter.
Original NVD description (English source)
A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262, UAP662E-WPT330-R2262P03, WAP611-WPT330-R1348-OASIS, WAP662-WPT330-R2262, WAP662H-WPT330-R2262, USG300V2-WPT330-R2129, MSG300-WPT330-R1350, and MSG326-WPT330-R2129). Attackers are able to exploit this vulnerability via injecting crafted commands into the sessionid parameter.

