CVE-2026-1324
Published: 22 January 2026
Summary
CVE-2026-1324 is a high-severity Command Injection (CWE-77) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates and sanitizes the keypassword input in the SSH Protocol Handler to prevent OS command injection.
Mandates timely flaw remediation for the command injection vulnerability in Sangfor OMM SessionController, including patching or workarounds when available.
Enforces least privilege on processes handling SSH sessions to limit the impact of any successfully injected OS commands by low-privilege users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-1324 enables arbitrary OS command injection in a remote SSH Protocol Handler service by authenticated low-privilege users, directly facilitating T1210 (Exploitation of Remote Services) and T1059 (Command and Scripting Interpreter).
NVD Description
A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to…
more
os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-1324 is an OS command injection vulnerability affecting the Sangfor Operation and Maintenance Management System versions up to 3.0.12. The issue resides in the SessionController function within the file /isomp-protocol/protocol/session of the SSH Protocol Handler component. By manipulating the keypassword argument, an attacker can inject arbitrary operating system commands, as classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-22.
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise through arbitrary command execution on the underlying operating system.
Advisories from VulDB and a related GitHub issue detail the vulnerability but report no vendor response despite early disclosure notification. No patches or official mitigations are available, with recent submissions highlighting the issue on VulDB platforms.
A public exploit is available, increasing the likelihood of active exploitation against unpatched Sangfor OMM systems.
Details
- CWE(s)