{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/h3c/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-8764"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Magic B3 (\u003c= 100R002)"],"_cs_severities":["high"],"_cs_tags":["buffer overflow","remote code execution","CVE-2026-8764"],"_cs_type":"threat","_cs_vendors":["H3C"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-8764, affects H3C Magic B3 devices up to version 100R002. The vulnerability is located within the \u003ccode\u003eUpdateWanParams\u003c/code\u003e function of the \u003ccode\u003e/goform/aspForm\u003c/code\u003e file. Successful exploitation of this flaw allows remote attackers to trigger a buffer overflow by manipulating the \u003ccode\u003eparam\u003c/code\u003e argument. Publicly available exploits exist, increasing the risk of active exploitation. The vendor was notified about this vulnerability, but has not responded. This vulnerability allows for unauthenticated remote code execution if successfully exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an H3C Magic B3 device running a vulnerable firmware version (\u0026lt;= 100R002) accessible over the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/aspForm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eUpdateWanParams\u003c/code\u003e function call with a crafted \u003ccode\u003eparam\u003c/code\u003e argument designed to cause a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe device processes the malicious \u003ccode\u003eparam\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe excessive data in the \u003ccode\u003eparam\u003c/code\u003e argument overwrites adjacent memory regions in the device\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflowed data to overwrite critical program data, such as return addresses or function pointers.\u003c/li\u003e\n\u003cli\u003eUpon function return, the hijacked execution flow redirects the program to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eAttacker achieves remote code execution on the device, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8764 allows an unauthenticated remote attacker to execute arbitrary code on the affected H3C Magic B3 device. This can lead to a complete compromise of the device, potentially enabling attackers to gain unauthorized access to the network, steal sensitive information, or use the device as a bot in a larger attack. Given the lack of vendor response, a large number of devices may be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-8764 Exploitation Attempt\u003c/code\u003e to your SIEM system to detect HTTP requests attempting to exploit the buffer overflow in the \u003ccode\u003eUpdateWanParams\u003c/code\u003e function of the \u003ccode\u003e/goform/aspForm\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/aspForm\u003c/code\u003e containing unusually long \u003ccode\u003eparam\u003c/code\u003e arguments, as highlighted in the Sigma rule and overview.\u003c/li\u003e\n\u003cli\u003eGiven the affected product is H3C Magic B3, network administrators should investigate whether any deployed devices are affected.\u003c/li\u003e\n\u003cli\u003eConsult the references from NVD to determine if there are any vendor mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-17T22:17:53Z","date_published":"2026-05-17T22:17:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-h3c-magic-b3-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in the UpdateWanParams function of the /goform/aspForm file in H3C Magic B3 devices up to version 100R002, which can be exploited by manipulating the 'param' argument, leading to potential remote code execution.","title":"H3C Magic B3 Buffer Overflow Vulnerability (CVE-2026-8764)","url":"https://feed.craftedsignal.io/briefs/2026-05-h3c-magic-b3-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — H3C","version":"https://jsonfeed.org/version/1.1"}