Description
A vulnerability was found in H3C Magic B0 up to 100R002. This affects the function Edit_BasicSSID_5G of the file /goform/aspForm. Performing a manipulation of the argument param results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow flaw exists in the Edit_BasicSSID_5G function of H3C Magic B0 firmware (up to 100R002). Manipulating the param argument triggers a memory corruption that can lead to arbitrary code execution. The CVE description explicitly mentions that the attack is remotely accessible and an exploit has been made public.

Affected Systems

H3C Magic B0 devices running firmware versions up to 100R002 are affected. The vulnerability is confined to the /goform/aspForm endpoint of the web interface.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating a high level of severity. No EPSS score is available, and the vulnerability is not listed in the KEV catalog. The absence of a public patch and the vendor’s lack of response increase the urgency. The likely attack vector is remote manipulation of the Edit_BasicSSID_5G parameter via the web interface, and the public exploit demonstrates real-world exploitability.

Generated by OpenCVE AI on May 24, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify whether the device uses firmware 100R002 or earlier and verify the presence of the vulnerability.
  • If a vendor release that addresses the flaw is available, upgrade the device firmware to the latest version as soon as possible.
  • Because the vendor has not yet provided a fix, isolate the affected device from untrusted networks and configure firewall rules or access controls to restrict inbound connections to the /goform/aspForm endpoint.
  • Monitor web traffic for attempts to manipulate the BasicSSID_5G parameter and apply intrusion detection alerts for repeated malformed requests.

Generated by OpenCVE AI on May 24, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in H3C Magic B0 up to 100R002. This affects the function Edit_BasicSSID_5G of the file /goform/aspForm. Performing a manipulation of the argument param results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title H3C Magic B0 aspForm Edit_BasicSSID_5G buffer overflow
First Time appeared H3c
H3c magic B0
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:a:h3c:magic_b0:*:*:*:*:*:*:*:*
Vendors & Products H3c
H3c magic B0
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

H3c Magic B0
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T19:00:13.793Z

Reserved: 2026-05-24T06:11:03.604Z

Link: CVE-2026-9393

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T20:30:07Z

Weaknesses