HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10259Published Modified CNA VulDB

CVE-2026-10259: H3C Magic B0 aspForm SetMobileAPInfoById stack-based overflow

A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the H3C Magic B0 router (firmware up to 100R002) within the SetMobileAPInfoById function, reachable via the /goform/aspForm endpoint over the network. An attacker with a low-privilege account can send a crafted request with a malformed param argument to trigger the overflow. Successful exploitation gives the attacker full control over the device, including the ability to read credentials, modify configuration, and crash or take over the router process. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection of CVE-2026-10259 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including VulDB) within minutes of publication and matched against all customer images, including custom-built firmware and embedded-OS container images that carry the affected H3C component. Coverage applies at both registry scan time and inline pipeline checks.

Available
Triage

Triage capability is available using the CVSS v4.0 base score of 8.7 (High), weighted further by each customer org's compliance policy to reflect environmental risk factors such as network exposure or regulatory scope. Findings are routed automatically to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix has been published for CVE-2026-10259, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor releases a remediated firmware or component version. In the interim, HarborGuard surfaces the finding with suggested compensating controls to help teams reduce exposure while waiting for an upstream patch.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable /goform/aspForm endpoint is exposed over the network, so the attacker must be able to reach the device's HTTP service remotely.

  • AuthenticationRequired

    The CVSS vector specifies PR:L, meaning any low-privilege account is sufficient to send the malformed request that triggers the overflow.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no action by a user or administrator on the target device is needed.

  • Attack complexityDetail

    AC:L and AT:N indicate the exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental prerequisites.

Blast Radius

  • Reads sensitive data stored on the device, including wireless credentials, session tokens, and administrative configuration.
  • Modifies device configuration, such as DNS settings, access-control rules, or mobile AP parameters, enabling traffic interception or redirection.
  • Crashes the affected router process or causes a full device reboot, disrupting network connectivity for all clients behind the device.
  • With full stack control, an attacker can execute arbitrary code on the device at the privilege level of the web server process, effectively owning the hardware.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-10259 is flagged immediately in any scan that surfaces the affected H3C Magic B0 firmware component, with a CVSS v4.0 score of 8.7 and High severity applied to prioritization. Because no upstream patch exists yet, HarborGuard monitors the VulDB advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment a fix version is published; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. While waiting for an upstream fix, HarborGuard surfaces compensating-control recommendations: restricting network access to the /goform/aspForm endpoint via network policy or firewall rules, applying egress filtering to limit post-exploitation reach, and disabling remote management interfaces where operationally feasible. The publicly disclosed exploit (CVSS E:P) increases urgency; teams should treat this as a high-priority finding until an upstream patch is available.

See how HarborGuard automates this
Affected packages
  • H3C / Magic B0
    100R002
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References