CVE-2026-1325
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangfor | operation_and_maintenance_security_management_system | to 3.0.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1325 is a security vulnerability in Sangfor Operation and Maintenance Security Management System (up to version 3.0.12) affecting the password recovery function at the endpoint /fort/login/edit_pwd_mall. The vulnerability arises because the backend logic fails to verify the user's session or original password when a specific parameter (isflag=true) is manipulated. This allows an unauthenticated remote attacker to reset any user's password, including the administrator's, without needing any authentication. The flaw is due to improper authentication and logic bypass, making it possible to fully compromise the management console remotely. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to reset any user's password, including administrator accounts, leading to unauthorized access and potential full system compromise. Such a security flaw can result in unauthorized disclosure, alteration, or loss of sensitive data, thereby negatively impacting compliance with common standards and regulations like GDPR and HIPAA that require strong access controls and protection of personal and sensitive information. The lack of vendor response and absence of patches further exacerbate the compliance risk. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to remotely reset the password of any user account, including the built-in administrator, simply by knowing the username. This leads to full compromise of the Bastion Host's management console, enabling the attacker to gain unauthorized access and control over the system. Since no authentication or local access is required, the risk is significant and exploitation is easy with publicly available proof-of-concept code. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint /fort/login/edit_pwd_mall with the parameter isflag=true. You can use network traffic analysis tools or web server logs to identify such requests. Additionally, using FOFA query `body="/fort/login" && product="SANGFOR-运维安全管理系统"` can help identify affected assets on your network. A practical detection command example using curl to test the endpoint (without exploiting) could be: curl -k -X POST https://<TARGET_IP>:8088/fort/login/edit_pwd_mall -d 'account=test&newpwd=test&repwd=test&isflag=true' -v. Monitoring for such requests or unexpected password reset attempts can indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Disable the /fort/login/edit_pwd_mall endpoint if the mall integration is not needed. 2) Restrict access to this endpoint by enforcing IP whitelisting to allow only trusted internal IP addresses. 3) Implement strong authentication mechanisms such as HMAC signatures or pre-shared API keys for all administrative actions via integration interfaces. 4) Refactor the password change logic to prevent bypassing session or old-password verification through the isflag parameter. Since no official patch or vendor response is available, consider replacing the affected product to avoid exploitation. [2]