CVE-2026-1413
Published: 26 January 2026
Summary
CVE-2026-1413 is a medium-severity Injection (CWE-74) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1413 is a command injection vulnerability affecting the Sangfor Operation and Maintenance Security Management System up to version 3.0.12. The issue resides in the portValidate function within the file /fort/ip_and_port/port_validate of the HTTP POST Request Handler component. Manipulation of the 'port' argument enables arbitrary command execution, classified under CWE-74 and CWE-77.
The vulnerability allows remote exploitation by attackers with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N). Successful attacks result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3. An exploit for this vulnerability has been made public.
Advisories and additional details are available in references including the GitHub issue at https://github.com/LX-LX88/cve/issues/23 and VulDB entries at https://vuldb.com/?ctiid.342802, https://vuldb.com/?id.342802, and https://vuldb.com/?submit.736522. The CVE was published on 2026-01-26.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4687
Vulnerability details
A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in…
more
command injection. The attack can be initiated remotely. The exploit has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in remotely accessible web management system directly enables remote code execution via Unix shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'port' argument in the HTTP POST handler to block command injection via CWE-74/77.
Mandates timely patching of the publicly disclosed flaw in the portValidate function up to version 3.0.12.
Enforces least functionality by disabling unnecessary OS command execution paths reachable from the web component.