CVE-2025-8907

A vulnerability was found in H3C M2 NAS V100R006. Affected by this vulnerability is an unknown functionality of the component Webserver Configuration. The manipulation leads to execution with unnecessary privileges. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor explains: "[T]he device only has configuration files and does not actually have boa functionality. It is impossible to access or upload files anonymously to the device through boa services". This vulnerability only affects products that are no longer supported by the maintainer.

CVSS v3 7.0 HIGH
CVSS v2.0 6.0 MEDIUM

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:H/Au:S/C:C/I:C/A:C

Exploitability : 1.5 / Impact : 10.0

Access Vector LOCAL

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://vuldb.com/?ctiid.319861
https://vuldb.com/?id.319861
https://vuldb.com/?submit.624554
https://www.notion.so/23f54a1113e7804bae88e76f9fb0cf5b

Configurations

No configuration.

History

13 Aug 2025, 17:33

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en H3C M2 NAS V100R006. Esta vulnerabilidad afecta a una funcionalidad desconocida del componente Configuración del servidor web. La manipulación provoca la ejecución con privilegios innecesarios. Un ataque debe abordarse localmente. Es un ataque de complejidad bastante alta. Parece difícil de explotar. Parece difícil de explota. El proveedor explica: «El dispositivo solo tiene archivos de configuración y no tiene funcionalidad boa. Es imposible acceder o cargar archivos anónimamente al dispositivo a través de los servicios boa». Esta vulnerabilidad solo afecta a los productos que ya no reciben soporte del fabricante.

13 Aug 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-13 13:15

Updated : 2025-08-13 17:33

NVD link : CVE-2025-8907

Mitre link : CVE-2025-8907

CVE.ORG link : CVE-2025-8907

JSON object : View

Products Affected

No product.

CWE

CWE-250

Execution with Unnecessary Privileges

7.0 /10