CVE-2025-12916
Published: 09 November 2025
Summary
CVE-2025-12916 is a medium-severity Injection (CWE-74) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the command injection flaw by patching to Sangfor versions 3.0.11 or 3.0.12.
Mandates validation of the loginUrl argument to block command injection from untrusted inputs in the frontend component.
Enforces least privilege for low-privilege authenticated users, limiting the impact of successful command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in public-facing login endpoint (/fort/portal_login) enables exploitation of public-facing application (T1190), indirect command execution (T1202), and Unix shell abuse (T1059.004) via loginUrl parameter.
NVD Description
A vulnerability was determined in Sangfor Operation and Maintenance Security Management System 3.0. Impacted is an unknown function of the file /fort/portal_login of the component Frontend. This manipulation of the argument loginUrl causes command injection. The attack may be initiated…
more
remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.0.11 and 3.0.12 is recommended to address this issue. It is advisable to upgrade the affected component.
Deeper analysisAI
CVE-2025-12916 is a command injection vulnerability in Sangfor Operation and Maintenance Security Management System version 3.0. The issue affects an unknown function within the /fort/portal_login file of the Frontend component, where manipulation of the loginUrl argument enables arbitrary command execution. Recent analysis confirms recent publication on 2025-11-09, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), linked to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts, including partial disclosure of sensitive information, minor modification of data or system configuration, and temporary denial of service through command execution.
Advisories recommend upgrading to Sangfor Operation and Maintenance Security Management System versions 3.0.11 or 3.0.12 to remediate the issue. Detailed reports are available from VulDB (ctiid.331634, id.331634, submit.678377) and h4cker.zip, which note the exploit's public disclosure and potential for utilization by threat actors.
The vulnerability's public exploit availability increases the risk of targeted attacks against exposed instances, though no widespread real-world exploitation has been reported in available sources.
Details
- CWE(s)