CVE-2025-15503
Published: 10 January 2026
Summary
CVE-2025-15503 is a high-severity Improper Access Control (CWE-284) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of the 'File' argument to block unrestricted uploads of arbitrary and dangerous files.
AC-3 enforces access controls on the vulnerable /fort/trust/version/common/common.jsp endpoint to prevent unauthorized remote file uploads.
SI-9 restricts classes of dangerous file types that can be input to mitigate CWE-434 unrestricted upload of files with dangerous types.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web application directly enables T1190 (Exploit Public-Facing Application) and facilitates T1100 (Web Shell) via arbitrary file upload including executable web shells.
NVD Description
A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack…
more
is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-15503 is an unrestricted file upload vulnerability in Sangfor Operation and Maintenance Management System versions up to 3.0.8. The flaw resides in an unknown function within the file /fort/trust/version/common/common.jsp, where manipulation of the "File" argument enables the upload of arbitrary files. Published on 2026-01-10, it is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability, making it accessible to unauthenticated adversaries over the network with low attack complexity. Successful exploitation allows limited impacts to confidentiality, integrity, and availability, potentially enabling further compromise depending on the uploaded files.
No vendor response or patches have been issued despite early notification, leaving affected systems without official mitigations. An exploit is publicly available, increasing the risk of active attacks. Relevant advisories appear in GitHub issues at https://github.com/master-abc/cve/issues/13 and VulDB entries such as https://vuldb.com/?ctiid.340348.
Details
- CWE(s)