H3C NX15 Weak Password Recovery Vulnerability (CVE-2026-15479)
A critical vulnerability, CVE-2026-15479, in H3C NX15 V100R017 allows remote attackers to perform weak password recovery by manipulating the 'newPass' argument in the '/api/login/modify' endpoint, leading to unauthorized administrator access.
A critical vulnerability, CVE-2026-15479, has been identified in H3C NX15 V100R017 devices, specifically within the Administrator Password Modification Endpoint. The flaw resides in the change_passwd function of the /api/login/modify file. By manipulating the newPass argument during a password change request, an unauthenticated remote attacker can exploit a weak password recovery mechanism. This allows the attacker to reset the administrator password, gaining unauthorized access to the device. The exploit for this vulnerability has been made public, indicating a heightened risk of exploitation in the wild. Organizations using affected H3C NX15 devices should immediately apply vendor-provided patches or mitigations to prevent potential compromise and ensure the integrity of their network infrastructure.
Attack Chain
- Vulnerability Discovery: An attacker identifies vulnerable H3C NX15 V100R017 devices exposed on the internet or within an accessible network segment.
- API Endpoint Identification: The attacker targets the
/api/login/modifyendpoint, specifically thechange_passwdfunction, which handles administrator password modifications. - Argument Manipulation: The attacker crafts a malicious HTTP request to the
/api/login/modifyendpoint, manipulating thenewPassargument in a way that triggers the weak password recovery vulnerability. The specific manipulation details are part of the public exploit. - Password Reset Execution: The vulnerable H3C device processes the crafted request, failing to properly validate the password change operation. This results in the administrator password being reset to an attacker-controlled value or a known weak default.
- Unauthorized Access: The attacker uses the newly set or recovered administrator password to log into the H3C NX15 device.
- Device Compromise: With administrative access, the attacker can then modify device configurations, exfiltrate sensitive network information, disrupt network operations, or establish persistence within the network.
Impact
Successful exploitation of CVE-2026-15479 allows a remote attacker to gain full administrative control over the affected H3C NX15 V100R017 device. This leads to complete compromise of the device, enabling unauthorized configuration changes, potential network segmentation bypasses, data exfiltration from devices connected to the router, and disruption of network services. Given that this is a network device, the impact can extend to the entire network infrastructure managed by the device, potentially affecting all connected clients and servers. The public availability of an exploit significantly increases the risk of widespread attacks targeting unpatched systems.
Recommendation
- Patch CVE-2026-15479 on all H3C NX15 V100R017 devices immediately once a vendor patch is released to mitigate the weak password recovery vulnerability.
- Monitor web server logs for suspicious requests to
/api/login/modifyon affected H3C NX15 devices that may indicate attempted exploitation. - Review access logs and administrator accounts on H3C NX15 devices for any unauthorized password changes or logins following the detection of suspicious activity.
Indicators of compromise
5
url
| Type | Value |
|---|---|
| url | https://github.com/coconut652-7/IOT_Vul_Public/tree/main/H3C/NX15R017/pre_auth_pwd_change |
| url | https://vuldb.com/cve/CVE-2026-15479 |
| url | https://vuldb.com/submit/837069 |
| url | https://vuldb.com/vuln/377785 |
| url | https://vuldb.com/vuln/377785/cti |