Vulnerability Description
A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sangfor | Operation And Maintenance Security Management System | <= 3.0.8 |
Related Weaknesses (CWE)
References
- https://github.com/master-abc/cve/issues/12ExploitIssue TrackingThird Party Advisory
- https://github.com/master-abc/cve/issues/12#issue-3770615262ExploitIssue TrackingThird Party Advisory
- https://vuldb.com/?ctiid.340346Permissions RequiredVDB Entry
- https://vuldb.com/?id.340346Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.727214Third Party AdvisoryVDB Entry
FAQ
What is CVE-2025-15501?
CVE-2025-15501 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipu...
How severe is CVE-2025-15501?
CVE-2025-15501 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-15501?
Check the references section above for vendor advisories and patch information. Affected products include: Sangfor Operation And Maintenance Security Management System.