CVE-2025-15501

CriticalPublic PoC

Published: 09 January 2026

Published

09 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0033 55.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible.…

The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents OS command injection by requiring validation of untrusted inputs such as the sessionPath argument in WriterHandle.getCmd.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of known flaws like this command injection vulnerability through identification, reporting, and correction.

AC-6 Least Privilege partial match

prevent

AC-6 limits the impact of injected commands by enforcing least privilege on the vulnerable process, reducing potential damage to confidentiality, integrity, and availability.

Security SummaryAI

CVE-2025-15501 is an OS command injection vulnerability in Sangfor Operation and Maintenance Management System versions up to 3.0.8. The flaw affects the WriterHandle.getCmd function in the file /isomp-protocol/protocol/getCmd, where manipulation of the sessionPath argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by unauthenticated attackers with no user interaction required. Successful exploitation allows attackers to execute arbitrary operating system commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as data theft, system modification, or denial of service.

References including GitHub issues at master-abc/cve/issues/12 and VulDB entries (ctiid.340346, id.340346) confirm the exploit has been publicly disclosed and may be utilized. The vendor was contacted early regarding disclosure but did not respond, and no patches or specific mitigations are detailed in the advisories.

Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against unpatched systems.

Details

CWE(s): CWE-77 CWE-78

Affected Products

sangfor

operation and maintenance security management system

≤ 3.0.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote OS command injection in a public-facing web application endpoint, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/master-abc/cve/issues/12
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://github.com/master-abc/cve/issues/12#issue-3770615262
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.340346
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.340346
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.727214
Third Party Advisory, VDB Entry · cna@vuldb.com