CVE-2025-60262: Critical Misconfiguration in H3C Wireless Gear Hands Control to Hackers

A glaring configuration oversight in select H3C wireless controllers and access points has opened the door for remote attackers to seize root-level control of the devices. The vulnerability, tracked as CVE-2025-60262, carries a devastating CVSS score of 9.8, signaling that the flaw is both critical and easy to exploit.

The issue isn’t a complex code bug, but a simple failure to read the manual. By misconfiguring the popular vsftpd (Very Secure FTP Daemon) service, H3C inadvertently turned anonymous file uploads into a mechanism for privilege escalation.

The vulnerability affects the H3C M102G Wireless Controller (firmware HM1A0V200R010) and the BA1500L Wireless Access Point (firmware SWBA1A0V100R006).

The root cause lies in the /etc/vsftpd.conf configuration file. The developers enabled the chown_uploads setting, which changes the ownership of files uploaded by anonymous users. However, they failed to set the corresponding chown_username property.

According to the official vsftpd documentation, if chown_username is not specified, it defaults to root.

“Note! Using ‘root’ for uploaded files is not recommended!” the vsftpd manual warns explicitly.

Because of this omission, “all files uploaded anonymously via FTP are automatically owned by the root user”.

This misstep transforms a standard file upload feature into a critical security hole. An attacker can upload malicious files—such as scripts or configuration overrides—via anonymous FTP. Since these files are immediately owned by root, the attacker can leverage them to execute commands with the highest possible privileges on the device.

“It allows remote attackers with anonymous FTP access to gain root-level control over the devices,” the advisory concludes.

The affected devices include

• Product: H3C M102G Wireless Controller
  • Version: HM1A0V200R010
• Product: BA1500L Wireless Access Point
  • Version: SWBA1A0V100R006

Administrators managing these devices are strongly advised to check their firmware versions and await a patch from the vendor to correct the configuration error.

Related Posts:

• Cisco releases the security updates to fix RCE flaws in multiple products
• CVSS 10 RCE in Wing FTP Server (CVE-2025-47812) Allows Full Server Takeover, PoC Releases
• CISA Warns of Active Exploitation of Wing FTP Server Flaw (CVE-2025-47812), CVSS 10
• Critical Wing FTP Server RCE (CVE-2025-47812) Actively Exploited In The Wild