Cyber Resilience

CVE-2025-12916

LowPublic PoC

Published: 09 November 2025

Published
09 November 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 52.2th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12916 is a low-severity Injection (CWE-74) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-12916 is a command injection vulnerability in Sangfor Operation and Maintenance Security Management System version 3.0. The issue affects an unknown function within the /fort/portal_login file of the Frontend component, where manipulation of the loginUrl argument enables arbitrary command execution. Recent analysis confirms recent publication on 2025-11-09, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), linked to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).

Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts, including partial disclosure of sensitive information, minor modification of data or system configuration, and temporary denial of service through command execution.

Advisories recommend upgrading to Sangfor Operation and Maintenance Security Management System versions 3.0.11 or 3.0.12 to remediate the issue. Detailed reports are available from VulDB (ctiid.331634, id.331634, submit.678377) and h4cker.zip, which note the exploit's public disclosure and potential for utilization by threat actors.

The vulnerability's public exploit availability increases the risk of targeted attacks against exposed instances, though no widespread real-world exploitation has been reported in available sources.

EU & UK References

Vulnerability details

A vulnerability was determined in Sangfor Operation and Maintenance Security Management System 3.0. Impacted is an unknown function of the file /fort/portal_login of the component Frontend. This manipulation of the argument loginUrl causes command injection. The attack may be initiated…

more

remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.0.11 and 3.0.12 is recommended to address this issue. It is advisable to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote command injection in public-facing login endpoint (/fort/portal_login) enables exploitation of public-facing application (T1190), indirect command execution (T1202), and Unix shell abuse (T1059.004) via loginUrl parameter.

CVEs Like This One

CVE-2026-1413Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1412Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1414Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15502Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15501Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1324Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1325Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15503Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15500Same vendor: Sangfor
CVE-2025-15499Same vendor: Sangfor

Affected Assets

sangfor
operation and maintenance security management system
3.0 — 3.0.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the command injection flaw by patching to Sangfor versions 3.0.11 or 3.0.12.

prevent

Mandates validation of the loginUrl argument to block command injection from untrusted inputs in the frontend component.

prevent

Enforces least privilege for low-privilege authenticated users, limiting the impact of successful command execution.

References