Cyber Resilience

CVE-2025-15500

HighPublic PoCRCE

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0559 91.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15500 is a high-severity Command Injection (CWE-77) vulnerability in Sangfor Operation And Maintenance Management System. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15500 is an OS command injection vulnerability affecting the Sangfor Operation and Maintenance Management System in versions up to 3.0.8. The flaw exists in the processing of the file /isomp-protocol/protocol/getHis by the HTTP POST Request Handler component, where manipulation of the sessionPath argument triggers command injection. It was published on 2026-01-09 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWEs-77 and CWE-78.

The vulnerability enables remote exploitation without authentication or user interaction. Attackers can send a crafted HTTP POST request to manipulate the sessionPath parameter, injecting arbitrary OS commands. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise.

Advisories referenced in GitHub issues (master-abc/cve #11) and VulDB entries (ctiid.340345, id.340345) detail the issue but note no vendor response despite early contact. No patches or official mitigations are available in the provided information.

The exploit has been made public and could be used, increasing the risk for unpatched systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os…

more

command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated OS command injection via public-facing HTTP endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15499Same product: Sangfor Operation And Maintenance Management System
CVE-2025-15502Same vendor: Sangfor
CVE-2025-15501Same vendor: Sangfor
CVE-2026-1413Same vendor: Sangfor
CVE-2026-1324Same vendor: Sangfor
CVE-2025-12916Same vendor: Sangfor
CVE-2026-1412Same vendor: Sangfor
CVE-2026-1414Same vendor: Sangfor
CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78

Affected Assets

sangfor
operation and maintenance management system
≤ 3.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validating the sessionPath parameter in HTTP POST requests directly prevents OS command injection by rejecting malformed or malicious inputs.

prevent

Remediating the flaw in the /isomp-protocol/protocol/getHis handler eliminates the OS command injection vulnerability through patching or code fixes.

preventdetect

Boundary protection with web application firewalls inspects and blocks crafted HTTP POST requests exploiting the sessionPath parameter.

References