CVE-2026-1412
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangfor | operation_and_maintenance_security_management_system | to 3.0.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1412 is a critical remote command execution vulnerability in Sangfor's Operation and Maintenance Security Management System (OSM) up to version 3.0.12. It exists in the HTTP POST endpoint /fort/audit/get_clip_img, where user-supplied parameters 'frame' and 'dirno' are improperly sanitized and directly concatenated into a shell command executed by the system. This allows an attacker to inject arbitrary shell commands remotely without authentication by manipulating these parameters, leading to execution of malicious commands on the server. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the affected Sangfor OSM server. This can lead to compromise of the system's confidentiality, integrity, and availability. Attackers can run malicious commands, potentially gaining control over the server, accessing sensitive data, disrupting services, or using the server as a foothold for further attacks. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint `/fort/audit/get_clip_img` with suspicious parameters, especially `frame` and `dirno` containing shell metacharacters such as `;`, `|`, or `&`. A proof of concept involves sending a POST request with parameters like `ip=local`, a long `sid`, and a malicious `frame` value containing injected shell commands. Network detection can include searching for POST requests to `/fort/audit/get_clip_img` with unusual payloads. For example, using curl to test the endpoint: `curl -X POST http://<target>/fort/audit/get_clip_img -d "ip=local&sid=longstring&frame=1;id;"` and checking for unexpected command execution or output files created on the server. Additionally, scanning for the presence of `/fort/login` and the product name "SANGFOR-运维安全管理系统" can help identify affected assets. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/fort/audit/get_clip_img` by implementing network-level controls such as firewall rules or access control lists to limit exposure. Since the vulnerability allows unauthenticated remote command execution, disabling or restricting the affected service until a patch or update is available is recommended. Monitoring and blocking suspicious POST requests with shell metacharacters in parameters `frame` and `dirno` can help reduce risk. As no known countermeasures or patches are currently identified, replacing the affected product with a secure alternative is suggested. Applying strict input validation and sanitization on user inputs in the application code is a long-term fix but requires vendor action. [3]