Cyber Resilience

CVE-2025-15503

MediumPublic PoC

Published: 10 January 2026

Published
10 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0191 77.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15503 is a medium-severity Improper Access Control (CWE-284) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-15503 is an unrestricted file upload vulnerability in Sangfor Operation and Maintenance Management System versions up to 3.0.8. The flaw resides in an unknown function within the file /fort/trust/version/common/common.jsp, where manipulation of the "File" argument enables the upload of arbitrary files. Published on 2026-01-10, it is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this vulnerability, making it accessible to unauthenticated adversaries over the network with low attack complexity. Successful exploitation allows limited impacts to confidentiality, integrity, and availability, potentially enabling further compromise depending on the uploaded files.

No vendor response or patches have been issued despite early notification, leaving affected systems without official mitigations. An exploit is publicly available, increasing the risk of active attacks. Relevant advisories appear in GitHub issues at https://github.com/master-abc/cve/issues/13 and VulDB entries such as https://vuldb.com/?ctiid.340348.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack…

more

is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web application directly enables T1190 (Exploit Public-Facing Application) and facilitates T1100 (Web Shell) via arbitrary file upload including executable web shells.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1412Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1325Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1413Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1414Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15501Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15502Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-12916Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1324Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-4220Shared CWE-284, CWE-434
CVE-2026-0547Shared CWE-284, CWE-434

Affected Assets

sangfor
operation and maintenance security management system
≤ 3.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of the 'File' argument to block unrestricted uploads of arbitrary and dangerous files.

prevent

AC-3 enforces access controls on the vulnerable /fort/trust/version/common/common.jsp endpoint to prevent unauthorized remote file uploads.

prevent

SI-9 restricts classes of dangerous file types that can be input to mitigate CWE-434 unrestricted upload of files with dangerous types.

References