CVE-2025-15501
Published: 09 January 2026
Summary
CVE-2025-15501 is a critical-severity Command Injection (CWE-77) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation of untrusted inputs such as the sessionPath argument in WriterHandle.getCmd.
SI-2 mandates timely remediation of known flaws like this command injection vulnerability through identification, reporting, and correction.
AC-6 limits the impact of injected commands by enforcing least privilege on the vulnerable process, reducing potential damage to confidentiality, integrity, and availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote OS command injection in a public-facing web application endpoint, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary command execution.
NVD Description
A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible.…
more
The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-15501 is an OS command injection vulnerability in Sangfor Operation and Maintenance Management System versions up to 3.0.8. The flaw affects the WriterHandle.getCmd function in the file /isomp-protocol/protocol/getCmd, where manipulation of the sessionPath argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by unauthenticated attackers with no user interaction required. Successful exploitation allows attackers to execute arbitrary operating system commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as data theft, system modification, or denial of service.
References including GitHub issues at master-abc/cve/issues/12 and VulDB entries (ctiid.340346, id.340346) confirm the exploit has been publicly disclosed and may be utilized. The vendor was contacted early regarding disclosure but did not respond, and no patches or specific mitigations are detailed in the advisories.
Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against unpatched systems.
Details
- CWE(s)