CVE-2026-1324
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-30

Assigner: VulDB

Description
A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1324
EUVD
EUVD-2026-4153
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sangfor operation_and_maintenance_security_management_system to 3.0.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1324 is a critical remote OS command injection vulnerability in Sangfor Operation and Maintenance Management System (up to version 3.0.12). It occurs in the SSH Protocol Handler component, specifically in the SessionController function handling the HTTP POST endpoint `/isomp-protocol/protocol/session`. The vulnerability arises because the application takes the user-supplied `keypassword` parameter and directly concatenates it into a shell command string used in an `ssh-keygen` command without proper sanitization or validation. This allows an attacker to inject arbitrary OS commands remotely by crafting malicious input in the `keypassword` parameter, which the system then executes, potentially compromising the server. [1, 2, 3]

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the server hosting the Sangfor OSM application. This can lead to full compromise of the affected system, including unauthorized access to sensitive data, modification or deletion of files, disruption of services, and potentially using the compromised server as a foothold for further attacks. The impact affects confidentiality, integrity, and availability of the system, making it a critical security risk. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the endpoint `/isomp-protocol/protocol/session` for suspicious payloads in the `keypassword` parameter that may contain command injection patterns such as single quotes, semicolons, or command separators. A practical detection method is to look for unusual files created by injected commands, for example, checking for the presence of files like `/usr/local/tomcat/webapps/isomp-protocol/ssh_hack.txt` which may be created by exploitation attempts. You can use network monitoring tools or web server logs to identify POST requests to this endpoint with suspicious parameters. Additionally, you can use commands like `grep` on server logs to find POST requests containing suspicious `keypassword` values. For example: `grep 'POST /isomp-protocol/protocol/session' /var/log/httpd/access_log | grep keypassword` or monitor for unexpected files created by exploits using `find /usr/local/tomcat/webapps/isomp-protocol/ -name 'ssh_hack.txt'`. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/isomp-protocol/protocol/session` by implementing network-level controls such as firewall rules or IP whitelisting to limit access only to trusted users. Since no patches or vendor mitigations are available, disabling or removing the affected Sangfor Operation and Maintenance Management System versions up to 3.0.12 is recommended. Monitoring and blocking suspicious POST requests containing malicious payloads targeting the `keypassword` parameter can help reduce risk. Additionally, consider replacing the affected product with an alternative solution as no known countermeasures or patches exist. [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart