CVE-2025-15502
OS Command Injection in Sangfor O&M SessionController (Remote Exploit
Publication date: 2026-01-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangfor | operation_and_maintenance_management_system | to 3.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15502 is a critical remote command execution vulnerability in Sangfor Operation and Maintenance Management System version 3.0.8. The flaw exists in the SessionController function at the /isomp-protocol/protocol/session endpoint, where the application improperly handles the 'hostname' parameter from an HTTP POST request. The backend concatenates this parameter directly into a shell command string without sanitizing special shell characters like semicolons, allowing an unauthenticated remote attacker to inject and execute arbitrary system commands with the privileges of the web service user (often root or tomcat). This leads to full system compromise. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise by allowing an unauthenticated remote attacker to execute arbitrary system commands with the privileges of the web service user, which is typically root or tomcat. This impacts the confidentiality, integrity, and availability of the affected system, potentially allowing attackers to take control, steal data, disrupt services, or install malicious software. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP POST requests to the /isomp-protocol/protocol/session endpoint with malicious payloads in the hostname parameter to test for command injection. For example, sending a POST request with a payload that injects a command like 'id' and then checking for its output (such as a created file ii.txt) on the server can confirm exploitation. A proof of concept involves sending a POST request with the hostname parameter containing shell metacharacters (e.g., semicolons, pipes) followed by a command. Detection commands could include using curl or similar tools to send such POST requests and then verifying the presence of command execution results on the system or accessible files. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict whitelist input validation on the hostname parameter, allowing only alphanumeric characters, dots, and hyphens to prevent injection of shell metacharacters. Additionally, refactor the vulnerable code to use safer command execution methods such as Java's ProcessBuilder with command and arguments passed as a list to avoid shell interpretation. Since the vendor has not provided any patches or responses, it is also suggested to replace the affected product with an alternative if possible. [2, 3]