CVE-2025-15501
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangfor | operation_and_maintenance_management_system | From 3.0.0 (inc) to 3.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15501 is a critical remote command execution vulnerability in Sangfor Operation and Maintenance Management System version 3.0.8 and earlier. It exists in the WriterHandle.getCmd function of the /isomp-protocol/protocol/getCmd endpoint, where the sessionPath parameter is not properly sanitized. An attacker can inject shell metacharacters into this parameter, causing arbitrary operating system commands to be executed with the privileges of the web server process, typically running as root or tomcat. This allows an unauthenticated remote attacker to gain full control over the affected system. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote control over the affected system by an unauthenticated attacker. It compromises the confidentiality, integrity, and availability of the system by allowing arbitrary command execution with high privileges. Attackers can execute any system commands, potentially leading to data theft, system disruption, or further network compromise. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by sending crafted HTTP POST requests to the vulnerable endpoint /isomp-protocol/protocol/getCmd with the sessionPath parameter containing shell metacharacters to test for command injection. For example, a test command could be a POST request with sessionPath=;whoami>/tmp/whoami.txt; which attempts to execute the whoami command and write output to a file. If the file is created and accessible, the system is vulnerable. Additionally, asset identification can be done using FOFA queries such as body="/fort/login" && product="SANGFOR-运维安全管理系统" to find affected systems. Monitoring network traffic for suspicious POST requests to /isomp-protocol/protocol/getCmd with unusual sessionPath values may also help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation on the sessionPath parameter by whitelisting allowed characters (alphanumeric, /, ., _) and rejecting shell metacharacters to prevent command injection. Replace unsafe command execution methods that use string concatenation or Runtime.exec with safer alternatives like Java's ProcessBuilder, passing parameters as argument lists to avoid shell interpretation. If possible, restrict or block access to the vulnerable endpoint /isomp-protocol/protocol/getCmd at the network level. Since no vendor patch or official fix is available, consider replacing the affected product with a secure alternative. Monitoring and blocking suspicious requests targeting this endpoint is also recommended. [2, 3]