CVE-2026-1412
Published: 26 January 2026
Summary
CVE-2026-1412 is a medium-severity Injection (CWE-74) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
A command injection vulnerability affects the Sangfor Operation and Maintenance Security Management System up to version 3.0.12. The flaw resides in an unknown function within the /fort/audit/get_clip_img component of the HTTP POST Request Handler, where manipulation of the frame/dirno argument allows arbitrary command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 6.9.
Remote attackers can exploit the vulnerability without authentication or user interaction by sending crafted POST requests, resulting in limited impacts to confidentiality, integrity, and availability on the affected system. Publicly disclosed exploit code increases the risk of unauthenticated remote code execution in exposed deployments.
Reference entries on Vuldb and a GitHub issue repository document the flaw and proof-of-concept details but do not include vendor patch information or specific mitigation steps. The EPSS score has risen from a baseline of 0.0009 to a peak of 0.0102, indicating growing exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4686
Vulnerability details
A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno…
more
leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote command injection in a public-facing web application handler enables initial access via exploitation of a vulnerable public-facing system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs (frame/dirno) to the /fort/audit/get_clip_img handler, blocking the command-injection payload before execution.
Boundary-protection mechanisms (e.g., WAF rules or allow-lists) can inspect and drop HTTP POST requests containing command-injection syntax targeting the exposed endpoint.
Continuous monitoring of web-application traffic and process execution can identify anomalous command patterns or unexpected child processes spawned by the audit component.