Cyber Posture

CVE-2025-12916

MediumPublic PoC

Published: 09 November 2025

Published
09 November 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0024 47.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Sangfor Operation and Maintenance Security Management System 3.0. Impacted is an unknown function of the file /fort/portal_login of the component Frontend. This manipulation of the argument loginUrl causes command injection. The attack may be initiated…

more

remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.0.11 and 3.0.12 is recommended to address this issue. It is advisable to upgrade the affected component.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the command injection flaw by patching to Sangfor versions 3.0.11 or 3.0.12.

SI-10 Information Input Validation good match
prevent

Mandates validation of the loginUrl argument to block command injection from untrusted inputs in the frontend component.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for low-privilege authenticated users, limiting the impact of successful command execution.

Security SummaryAI

CVE-2025-12916 is a command injection vulnerability in Sangfor Operation and Maintenance Security Management System version 3.0. The issue affects an unknown function within the /fort/portal_login file of the Frontend component, where manipulation of the loginUrl argument enables arbitrary command execution. Recent analysis confirms recent publication on 2025-11-09, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), linked to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).

Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts, including partial disclosure of sensitive information, minor modification of data or system configuration, and temporary denial of service through command execution.

Advisories recommend upgrading to Sangfor Operation and Maintenance Security Management System versions 3.0.11 or 3.0.12 to remediate the issue. Detailed reports are available from VulDB (ctiid.331634, id.331634, submit.678377) and h4cker.zip, which note the exploit's public disclosure and potential for utilization by threat actors.

The vulnerability's public exploit availability increases the risk of targeted attacks against exposed instances, though no widespread real-world exploitation has been reported in available sources.

Details

CWE(s)
CWE-74CWE-77

Affected Products

sangfor
operation and maintenance security management system
3.0 — 3.0.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

Remote command injection in public-facing login endpoint (/fort/portal_login) enables exploitation of public-facing application (T1190), indirect command execution (T1202), and Unix shell abuse (T1059.004) via loginUrl parameter.

References