CVE-2026-1412
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1412
EUVD
EUVD-2026-4686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sangfor operation_and_maintenance_security_management_system to 3.0.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1412 is a critical remote command execution vulnerability in Sangfor's Operation and Maintenance Security Management System (OSM) up to version 3.0.12. It exists in the HTTP POST endpoint /fort/audit/get_clip_img, where user-supplied parameters 'frame' and 'dirno' are improperly sanitized and directly concatenated into a shell command executed by the system. This allows an attacker to inject arbitrary shell commands remotely without authentication by manipulating these parameters, leading to execution of malicious commands on the server. [1, 2, 3]

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the affected Sangfor OSM server. This can lead to compromise of the system's confidentiality, integrity, and availability. Attackers can run malicious commands, potentially gaining control over the server, accessing sensitive data, disrupting services, or using the server as a foothold for further attacks. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint `/fort/audit/get_clip_img` with suspicious parameters, especially `frame` and `dirno` containing shell metacharacters such as `;`, `|`, or `&`. A proof of concept involves sending a POST request with parameters like `ip=local`, a long `sid`, and a malicious `frame` value containing injected shell commands. Network detection can include searching for POST requests to `/fort/audit/get_clip_img` with unusual payloads. For example, using curl to test the endpoint: `curl -X POST http://<target>/fort/audit/get_clip_img -d "ip=local&sid=longstring&frame=1;id;"` and checking for unexpected command execution or output files created on the server. Additionally, scanning for the presence of `/fort/login` and the product name "SANGFOR-运维安全管理系统" can help identify affected assets. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/fort/audit/get_clip_img` by implementing network-level controls such as firewall rules or access control lists to limit exposure. Since the vulnerability allows unauthenticated remote command execution, disabling or restricting the affected service until a patch or update is available is recommended. Monitoring and blocking suspicious POST requests with shell metacharacters in parameters `frame` and `dirno` can help reduce risk. As no known countermeasures or patches are currently identified, replacing the affected product with a secure alternative is suggested. Applying strict input validation and sanitization on user inputs in the application code is a long-term fix but requires vendor action. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart