CVE-2026-1324

HighPublic PoC

Published: 22 January 2026

Published

22 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 47.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to…

os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes the keypassword input in the SSH Protocol Handler to prevent OS command injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation for the command injection vulnerability in Sangfor OMM SessionController, including patching or workarounds when available.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on processes handling SSH sessions to limit the impact of any successfully injected OS commands by low-privilege users.

Security SummaryAI

CVE-2026-1324 is an OS command injection vulnerability affecting the Sangfor Operation and Maintenance Management System versions up to 3.0.12. The issue resides in the SessionController function within the file /isomp-protocol/protocol/session of the SSH Protocol Handler component. By manipulating the keypassword argument, an attacker can inject arbitrary operating system commands, as classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-22.

The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise through arbitrary command execution on the underlying operating system.

Advisories from VulDB and a related GitHub issue detail the vulnerability but report no vendor response despite early disclosure notification. No patches or official mitigations are available, with recent submissions highlighting the issue on VulDB platforms.

A public exploit is available, increasing the likelihood of active exploitation against unpatched Sangfor OMM systems.

Details

CWE(s): CWE-77 CWE-78

Affected Products

sangfor

operation and maintenance security management system

≤ 3.0.12

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CVE-2026-1324 enables arbitrary OS command injection in a remote SSH Protocol Handler service by authenticated low-privilege users, directly facilitating T1210 (Exploitation of Remote Services) and T1059 (Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LX-LX88/cve/issues/20
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.342300
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.342300
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735716
Third Party Advisory, VDB Entry · cna@vuldb.com