CVE-2025-15499

HighPublic PoC

Published: 09 January 2026

Published

09 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be…

initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating the manipulated filename argument in the uploadCN function.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific flaw enabling command injection in VersionController.java.

AC-6 Least Privilege partial match

prevent

Limits damage from low-privileged exploitation by enforcing least privilege on accounts and processes executing injected commands.

Security SummaryAI

CVE-2025-15499 is an OS command injection vulnerability affecting the Sangfor Operation and Maintenance Management System in versions up to 3.0.8. The issue resides in the uploadCN function of the VersionController.java file, where manipulation of the filename argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability allows remote exploitation by low-privileged authenticated users, requiring no user interaction and low attack complexity. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially executing arbitrary operating system commands on the affected system.

Advisories from VulDB and related GitHub issues indicate that the vendor was contacted early about the disclosure but provided no response. No patches or specific mitigations are detailed in the available references. The exploit has been publicly disclosed and may be used by attackers.

In notable context, the vulnerability was published on 2026-01-09, and the public exploit availability increases the risk of active exploitation against unpatched Sangfor OMM systems.

Details

CWE(s): CWE-77 CWE-78

Affected Products

sangfor

operation and maintenance management system

≤ 3.0.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via authenticated command injection in a Java controller, directly facilitating arbitrary OS command execution likely via Unix Shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/master-abc/cve/issues/10
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://github.com/master-abc/cve/issues/10#issue-3770540830
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.340344
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.340344
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.727207
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/master-abc/cve/issues/10
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/master-abc/cve/issues/10#issue-3770540830
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0