CVE-2025-60262

CRITICAL

H3C Mc102-g Firmware - Incorrect Default Permissions

Title source: rule

Description

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices.

References (2)

[Exploit, Third Party Advisory] https://www.notion.so/23e54a1113e780d686fbe1624ee0465d

[Exploit, Third Party Advisory] https://www.notion.so/Misconfiguration-in-H3C-23e54a1113e780d686fbe1624ee0465d

Scores

CVSS v3 9.8

EPSS 0.0023

EPSS Percentile 45.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-276

Status published

Affected Products (2)

h3c/mc102-g_firmware

h3c/magic_ba1500l_firmware

Timeline

Published Jan 06, 2026

Tracked Since Feb 18, 2026