{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nx15-v100r017/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-15479"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NX15 V100R017"],"_cs_severities":["high"],"_cs_tags":["vulnerability","api-exploitation","password-reset","network-device","remote-access"],"_cs_type":"threat","_cs_vendors":["H3C"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-15479, has been identified in H3C NX15 V100R017 devices, specifically within the Administrator Password Modification Endpoint. The flaw resides in the \u003ccode\u003echange_passwd\u003c/code\u003e function of the \u003ccode\u003e/api/login/modify\u003c/code\u003e file. By manipulating the \u003ccode\u003enewPass\u003c/code\u003e argument during a password change request, an unauthenticated remote attacker can exploit a weak password recovery mechanism. This allows the attacker to reset the administrator password, gaining unauthorized access to the device. The exploit for this vulnerability has been made public, indicating a heightened risk of exploitation in the wild. Organizations using affected H3C NX15 devices should immediately apply vendor-provided patches or mitigations to prevent potential compromise and ensure the integrity of their network infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e An attacker identifies vulnerable H3C NX15 V100R017 devices exposed on the internet or within an accessible network segment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAPI Endpoint Identification:\u003c/strong\u003e The attacker targets the \u003ccode\u003e/api/login/modify\u003c/code\u003e endpoint, specifically the \u003ccode\u003echange_passwd\u003c/code\u003e function, which handles administrator password modifications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArgument Manipulation:\u003c/strong\u003e The attacker crafts a malicious HTTP request to the \u003ccode\u003e/api/login/modify\u003c/code\u003e endpoint, manipulating the \u003ccode\u003enewPass\u003c/code\u003e argument in a way that triggers the weak password recovery vulnerability. The specific manipulation details are part of the public exploit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword Reset Execution:\u003c/strong\u003e The vulnerable H3C device processes the crafted request, failing to properly validate the password change operation. This results in the administrator password being reset to an attacker-controlled value or a known weak default.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e The attacker uses the newly set or recovered administrator password to log into the H3C NX15 device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDevice Compromise:\u003c/strong\u003e With administrative access, the attacker can then modify device configurations, exfiltrate sensitive network information, disrupt network operations, or establish persistence within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15479 allows a remote attacker to gain full administrative control over the affected H3C NX15 V100R017 device. This leads to complete compromise of the device, enabling unauthorized configuration changes, potential network segmentation bypasses, data exfiltration from devices connected to the router, and disruption of network services. Given that this is a network device, the impact can extend to the entire network infrastructure managed by the device, potentially affecting all connected clients and servers. The public availability of an exploit significantly increases the risk of widespread attacks targeting unpatched systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15479 on all H3C NX15 V100R017 devices immediately once a vendor patch is released to mitigate the weak password recovery vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/api/login/modify\u003c/code\u003e on affected H3C NX15 devices that may indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eReview access logs and administrator accounts on H3C NX15 devices for any unauthorized password changes or logins following the detection of suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T06:19:38Z","date_published":"2026-07-12T06:19:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-h3c-nx15-weak-password-recovery/","summary":"A critical vulnerability, CVE-2026-15479, in H3C NX15 V100R017 allows remote attackers to perform weak password recovery by manipulating the 'newPass' argument in the '/api/login/modify' endpoint, leading to unauthorized administrator access.","title":"H3C NX15 Weak Password Recovery Vulnerability (CVE-2026-15479)","url":"https://feed.craftedsignal.io/briefs/2026-07-h3c-nx15-weak-password-recovery/"}],"language":"en","title":"CraftedSignal Threat Feed - NX15 V100R017","version":"https://jsonfeed.org/version/1.1"}