CVE-2026-15479

H3C · NX15

A weak password recovery vulnerability in H3C NX15 V100R017 allows unauthenticated attackers to manipulate account security settings.

Executive summary

A vulnerability in H3C NX15 firmware allows unauthenticated attackers to exploit weak password recovery mechanisms, potentially leading to unauthorized account access.

Vulnerability

The flaw is identified as CWE-640 (Weak Password Recovery), which allows an unauthenticated, network-adjacent attacker to perform unauthorized password recovery actions.

Business impact

Successful exploitation of this vulnerability could lead to a complete compromise of administrative or user accounts on the affected networking device. Given the CVSS score of 7.3, this represents a significant risk to network integrity and confidentiality, potentially allowing attackers to pivot deeper into the corporate environment.

Remediation

Immediate Action: Contact H3C support to obtain the latest firmware patch; if no patch is available, restrict management interface access to trusted administrative subnets only.

Proactive Monitoring: Review device access logs for unusual password reset requests or unauthorized administrative login attempts originating from unknown IP addresses.

Compensating Controls: Implement strict firewall rules to ensure the management interface of the NX15 device is not exposed to the public internet or untrusted network segments.

Exploitation status

Public Exploit Available: Yes — a proof-of-concept repository exists on GitHub (coconut652-7/IOT_Vul_Public).

Analyst recommendation

The severity of this vulnerability, combined with the availability of public exploit code, necessitates immediate action. Administrators should prioritize restricting network access to the affected hardware and coordinate with the vendor to verify if a firmware update is available to resolve the underlying authentication weakness.