<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>NX15 V100R017 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/nx15-v100r017/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 06:19:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/nx15-v100r017/feed.xml" rel="self" type="application/rss+xml"/><item><title>H3C NX15 Weak Password Recovery Vulnerability (CVE-2026-15479)</title><link>https://feed.craftedsignal.io/briefs/2026-07-h3c-nx15-weak-password-recovery/</link><pubDate>Sun, 12 Jul 2026 06:19:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-h3c-nx15-weak-password-recovery/</guid><description>A critical vulnerability, CVE-2026-15479, in H3C NX15 V100R017 allows remote attackers to perform weak password recovery by manipulating the 'newPass' argument in the '/api/login/modify' endpoint, leading to unauthorized administrator access.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-15479, has been identified in H3C NX15 V100R017 devices, specifically within the Administrator Password Modification Endpoint. The flaw resides in the <code>change_passwd</code> function of the <code>/api/login/modify</code> file. By manipulating the <code>newPass</code> argument during a password change request, an unauthenticated remote attacker can exploit a weak password recovery mechanism. This allows the attacker to reset the administrator password, gaining unauthorized access to the device. The exploit for this vulnerability has been made public, indicating a heightened risk of exploitation in the wild. Organizations using affected H3C NX15 devices should immediately apply vendor-provided patches or mitigations to prevent potential compromise and ensure the integrity of their network infrastructure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Vulnerability Discovery:</strong> An attacker identifies vulnerable H3C NX15 V100R017 devices exposed on the internet or within an accessible network segment.</li>
<li><strong>API Endpoint Identification:</strong> The attacker targets the <code>/api/login/modify</code> endpoint, specifically the <code>change_passwd</code> function, which handles administrator password modifications.</li>
<li><strong>Argument Manipulation:</strong> The attacker crafts a malicious HTTP request to the <code>/api/login/modify</code> endpoint, manipulating the <code>newPass</code> argument in a way that triggers the weak password recovery vulnerability. The specific manipulation details are part of the public exploit.</li>
<li><strong>Password Reset Execution:</strong> The vulnerable H3C device processes the crafted request, failing to properly validate the password change operation. This results in the administrator password being reset to an attacker-controlled value or a known weak default.</li>
<li><strong>Unauthorized Access:</strong> The attacker uses the newly set or recovered administrator password to log into the H3C NX15 device.</li>
<li><strong>Device Compromise:</strong> With administrative access, the attacker can then modify device configurations, exfiltrate sensitive network information, disrupt network operations, or establish persistence within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15479 allows a remote attacker to gain full administrative control over the affected H3C NX15 V100R017 device. This leads to complete compromise of the device, enabling unauthorized configuration changes, potential network segmentation bypasses, data exfiltration from devices connected to the router, and disruption of network services. Given that this is a network device, the impact can extend to the entire network infrastructure managed by the device, potentially affecting all connected clients and servers. The public availability of an exploit significantly increases the risk of widespread attacks targeting unpatched systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-15479 on all H3C NX15 V100R017 devices immediately once a vendor patch is released to mitigate the weak password recovery vulnerability.</li>
<li>Monitor web server logs for suspicious requests to <code>/api/login/modify</code> on affected H3C NX15 devices that may indicate attempted exploitation.</li>
<li>Review access logs and administrator accounts on H3C NX15 devices for any unauthorized password changes or logins following the detection of suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>api-exploitation</category><category>password-reset</category><category>network-device</category><category>remote-access</category></item></channel></rss>