CVE-2025-15500
Published: 09 January 2026
Summary
CVE-2025-15500 is a critical-severity Command Injection (CWE-77) vulnerability in Sangfor Operation And Maintenance Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validating the sessionPath parameter in HTTP POST requests directly prevents OS command injection by rejecting malformed or malicious inputs.
Remediating the flaw in the /isomp-protocol/protocol/getHis handler eliminates the OS command injection vulnerability through patching or code fixes.
Boundary protection with web application firewalls inspects and blocks crafted HTTP POST requests exploiting the sessionPath parameter.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection via public-facing HTTP endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os…
more
command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-15500 is an OS command injection vulnerability affecting the Sangfor Operation and Maintenance Management System in versions up to 3.0.8. The flaw exists in the processing of the file /isomp-protocol/protocol/getHis by the HTTP POST Request Handler component, where manipulation of the sessionPath argument triggers command injection. It was published on 2026-01-09 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWEs-77 and CWE-78.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can send a crafted HTTP POST request to manipulate the sessionPath parameter, injecting arbitrary OS commands. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise.
Advisories referenced in GitHub issues (master-abc/cve #11) and VulDB entries (ctiid.340345, id.340345) detail the issue but note no vendor response despite early contact. No patches or official mitigations are available in the provided information.
The exploit has been made public and could be used, increasing the risk for unpatched systems.
Details
- CWE(s)