Nestor233

**Name of the Vulnerable Software and Affected Versions** Sangfor Operation and Maintenance Management System versions up to 3.0.8 **Description** A flaw exists in Sangfor Operation and Maintenance Management System. Manipulation of the `sessionPath` argument within the `WriterHandle.getCmd` function, located in the file `/isomp-protocol/protocol/getCmd`, can lead to operating system command injection. Remote exploitation is possible. The exploit for this issue has been publicly disclosed. The vendor was informed of this issue but did not provide a response. **Recommendations** Versions up to 3.0.8 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.