Cyber Resilience

CVE-2026-1413

Medium

Published: 26 January 2026

Published
26 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0280 84.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1413 is a medium-severity Injection (CWE-74) vulnerability in Sangfor Operation And Maintenance Security Management System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1413 is a command injection vulnerability affecting the Sangfor Operation and Maintenance Security Management System up to version 3.0.12. The issue resides in the portValidate function within the file /fort/ip_and_port/port_validate of the HTTP POST Request Handler component. Manipulation of the 'port' argument enables arbitrary command execution, classified under CWE-74 and CWE-77.

The vulnerability allows remote exploitation by attackers with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N). Successful attacks result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3. An exploit for this vulnerability has been made public.

Advisories and additional details are available in references including the GitHub issue at https://github.com/LX-LX88/cve/issues/23 and VulDB entries at https://vuldb.com/?ctiid.342802, https://vuldb.com/?id.342802, and https://vuldb.com/?submit.736522. The CVE was published on 2026-01-26.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in…

more

command injection. The attack can be initiated remotely. The exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in remotely accessible web management system directly enables remote code execution via Unix shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12916Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1412Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15502Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1414Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15501Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1325Same product: Sangfor Operation And Maintenance Security Management System
CVE-2026-1324Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15503Same product: Sangfor Operation And Maintenance Security Management System
CVE-2025-15500Same vendor: Sangfor
CVE-2025-15499Same vendor: Sangfor

Affected Assets

sangfor
operation and maintenance security management system
≤ 3.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'port' argument in the HTTP POST handler to block command injection via CWE-74/77.

prevent

Mandates timely patching of the publicly disclosed flaw in the portValidate function up to version 3.0.12.

prevent

Enforces least functionality by disabling unnecessary OS command execution paths reachable from the web component.

References