CVE-2026-10259 - Vulnerability Details

- H3C Magic B0 aspForm SetMobileAPInfoById stack-based overflow

Description

A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-06-01

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stack-based buffer overflow exists in the SetMobileAPInfoById function of H3C Magic B0’s /goform/aspForm component, allowing an attacker who can send crafted requests to execute arbitrary code on the target system. The flaw arises from unsanitized input handling and is identified by CWE‑119 and CWE‑121. Exploitation would result in privilege escalation or complete compromise of the device, exposing sensitive network configuration data and potentially allowing further lateral movement.

Affected Systems

The vulnerability affects H3C Magic B0 devices running firmware up to 100R002. No other vendors or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and the exploit is operable from remote hosts, as the attack requires only network-level access to the web interface. EPSS data is unavailable, and the vulnerability is not in the CISA KEV catalog, but the publicly disclosed exploit demonstrates realistic threat potential. Given the remote nature of the attack, any enabled or exposed instance of the web interface presents a direct risk to the entire device. The lack of vendor response further increases the urgency, as users must rely on self‑mitigation until an official fix is released.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

H3C

Magic B0

affected

Version	Status	Constraints
`100R002`	affected	—

No data.

Vendor Product Confidence Versions

H3c

Magic B0

90%

Version	Status	Scheme	Platform
`100R002`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply vendor patch or update to a firmware version that removes the vulnerability
Restrict access to the /goform/aspForm endpoint by allowing only trusted local IP addresses or VPN connections
Block remote traffic to that endpoint with a firewall or access control rule until a patch is available

Generated by OpenCVE AI on June 1, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00809.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/666324/H3C-Magic-B0-vuln
https://github.com/666324/H3C-Magic-B0-vuln/tree/main/H3C-Magic%20B0-vuln
https://vuldb.com/cve/CVE-2026-10259
https://vuldb.com/submit/824402
https://vuldb.com/vuln/367539
https://vuldb.com/vuln/367539/cti

History

Mon, 01 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		H3C Magic B0 aspForm SetMobileAPInfoById stack-based overflow
First Time appeared		H3c H3c magic B0
Weaknesses		CWE-119 CWE-121
CPEs		cpe:2.3:a:h3c:magic_b0::::::::
Vendors & Products		H3c H3c magic B0
References		https://github.com/666324/H3C-Magic-B0-vuln https://github.com/666324/H3C-Magic-B0-vuln/tree/main/H3C-Magic%20B0-vuln https://vuldb.com/cve/CVE-2026-10259 https://vuldb.com/submit/824402 https://vuldb.com/vuln/367539 https://vuldb.com/vuln/367539/cti
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

H3c Magic B0

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T13:00:11.929Z

Updated: 2026-06-01T19:23:27.570Z

Reserved: 2026-05-31T12:38:23.276Z

Link: CVE-2026-10259

Vulnrichment

Updated: 2026-06-01T19:23:21.960Z

NVD

Status : Deferred

Published: 2026-06-01T15:16:31.947

Modified: 2026-06-01T16:41:55.090

Link: CVE-2026-10259

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T16:30:06Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-121
Stack-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object