Cyber Resilience

CVE-2026-1325

MediumPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1325 is a medium-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-1325 is a security vulnerability affecting the Sangfor Operation and Maintenance Security Management System in versions up to 3.0.12. The flaw resides in the edit_pwd_mall function within the /fort/login/edit_pwd_mall file, where manipulation of the "flag" argument enables weak password recovery. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is linked to CWE-640.

Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation involves manipulating the specified argument to trigger weak password recovery, resulting in low integrity impact but no confidentiality or availability disruption.

Advisories from VulDB and a related GitHub issue detail the vulnerability, noting that a public exploit has been released and may be used in attacks. The vendor was contacted early for disclosure but provided no response, and no patches or official mitigations are available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible…

more

to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing web app password recovery function (CWE-640) via argument manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1412Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15501Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15503Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15502Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1413Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1414Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-12916Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1324Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15500Same vendor: Sangfor
CVE-2025-15499Same vendor: Sangfor

Affected Assets

sangfor
operation and maintenance security management system
≤ 3.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires secure authenticator (password) management including reset and recovery procedures, blocking the weak recovery flaw triggered by flag manipulation.

prevent

Enforces that password-recovery actions are only performed after proper authorization, preventing unauthenticated manipulation of the edit_pwd_mall function.

prevent

Mandates re-authentication before sensitive account changes such as password recovery, mitigating bypass via the vulnerable flag argument.

References