Cyber Resilience

CVE-2025-15501

HighPublic PoCRCE

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0637 92.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15501 is a high-severity Command Injection (CWE-77) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15501 is an OS command injection vulnerability in Sangfor Operation and Maintenance Management System versions up to 3.0.8. The flaw affects the WriterHandle.getCmd function in the file /isomp-protocol/protocol/getCmd, where manipulation of the sessionPath argument enables command injection. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by unauthenticated attackers with no user interaction required. Successful exploitation allows attackers to execute arbitrary operating system commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as data theft, system modification, or denial of service.

References including GitHub issues at master-abc/cve/issues/12 and VulDB entries (ctiid.340346, id.340346) confirm the exploit has been publicly disclosed and may be utilized. The vendor was contacted early regarding disclosure but did not respond, and no patches or specific mitigations are detailed in the advisories.

Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against unpatched systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible.…

more

The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE enables unauthenticated remote OS command injection in a public-facing web application endpoint, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1414Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1324Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15502Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1412Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1413Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-12916Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1325Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15503Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15500Same vendor: Sangfor
CVE-2025-15499Same vendor: Sangfor

Affected Assets

sangfor
operation and maintenance security management system
≤ 3.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents OS command injection by requiring validation of untrusted inputs such as the sessionPath argument in WriterHandle.getCmd.

prevent

SI-2 mandates timely remediation of known flaws like this command injection vulnerability through identification, reporting, and correction.

prevent

AC-6 limits the impact of injected commands by enforcing least privilege on the vulnerable process, reducing potential damage to confidentiality, integrity, and availability.

References