Cyber Resilience

CVE-2026-1412

MediumPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0395 89.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1412 is a medium-severity Injection (CWE-74) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

A command injection vulnerability affects the Sangfor Operation and Maintenance Security Management System up to version 3.0.12. The flaw resides in an unknown function within the /fort/audit/get_clip_img component of the HTTP POST Request Handler, where manipulation of the frame/dirno argument allows arbitrary command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 6.9.

Remote attackers can exploit the vulnerability without authentication or user interaction by sending crafted POST requests, resulting in limited impacts to confidentiality, integrity, and availability on the affected system. Publicly disclosed exploit code increases the risk of unauthenticated remote code execution in exposed deployments.

Reference entries on Vuldb and a GitHub issue repository document the flaw and proof-of-concept details but do not include vendor patch information or specific mitigation steps. The EPSS score has risen from a baseline of 0.0009 to a peak of 0.0102, indicating growing exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno…

more

leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote command injection in a public-facing web application handler enables initial access via exploitation of a vulnerable public-facing system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1413Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1414Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-12916Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1325Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15502Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15501Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15503Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1324Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15500Same vendor: Sangfor
CVE-2025-15499Same vendor: Sangfor

Affected Assets

sangfor
operation and maintenance security management system
≤ 3.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs (frame/dirno) to the /fort/audit/get_clip_img handler, blocking the command-injection payload before execution.

prevent

Boundary-protection mechanisms (e.g., WAF rules or allow-lists) can inspect and drop HTTP POST requests containing command-injection syntax targeting the exposed endpoint.

detect

Continuous monitoring of web-application traffic and process execution can identify anomalous command patterns or unexpected child processes spawned by the audit component.

References