CVE-2026-1324
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangfor | operation_and_maintenance_security_management_system | to 3.0.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1324 is a critical remote OS command injection vulnerability in Sangfor Operation and Maintenance Management System (up to version 3.0.12). It occurs in the SSH Protocol Handler component, specifically in the SessionController function handling the HTTP POST endpoint `/isomp-protocol/protocol/session`. The vulnerability arises because the application takes the user-supplied `keypassword` parameter and directly concatenates it into a shell command string used in an `ssh-keygen` command without proper sanitization or validation. This allows an attacker to inject arbitrary OS commands remotely by crafting malicious input in the `keypassword` parameter, which the system then executes, potentially compromising the server. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the server hosting the Sangfor OSM application. This can lead to full compromise of the affected system, including unauthorized access to sensitive data, modification or deletion of files, disruption of services, and potentially using the compromised server as a foothold for further attacks. The impact affects confidentiality, integrity, and availability of the system, making it a critical security risk. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the endpoint `/isomp-protocol/protocol/session` for suspicious payloads in the `keypassword` parameter that may contain command injection patterns such as single quotes, semicolons, or command separators. A practical detection method is to look for unusual files created by injected commands, for example, checking for the presence of files like `/usr/local/tomcat/webapps/isomp-protocol/ssh_hack.txt` which may be created by exploitation attempts. You can use network monitoring tools or web server logs to identify POST requests to this endpoint with suspicious parameters. Additionally, you can use commands like `grep` on server logs to find POST requests containing suspicious `keypassword` values. For example: `grep 'POST /isomp-protocol/protocol/session' /var/log/httpd/access_log | grep keypassword` or monitor for unexpected files created by exploits using `find /usr/local/tomcat/webapps/isomp-protocol/ -name 'ssh_hack.txt'`. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/isomp-protocol/protocol/session` by implementing network-level controls such as firewall rules or IP whitelisting to limit access only to trusted users. Since no patches or vendor mitigations are available, disabling or removing the affected Sangfor Operation and Maintenance Management System versions up to 3.0.12 is recommended. Monitoring and blocking suspicious POST requests containing malicious payloads targeting the `keypassword` parameter can help reduce risk. Additionally, consider replacing the affected product with an alternative solution as no known countermeasures or patches exist. [3, 2]