CVE-2025-15499

Name of the Vulnerable Software and Affected Versions Sangfor Operation and Maintenance Management System versions up to 3.0.8

Description A flaw exists in Sangfor Operation and Maintenance Management System that allows for remote operating system command injection. This issue stems from the manipulation of the filename argument within the uploadCN function of the VersionController.java file. The vulnerability can be triggered remotely. Reports indicate increased targeting of systems affected by this issue, and a public exploit is available. The vendor was notified but did not respond.

Recommendations Versions up to 3.0.8 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the uploadCN function within the VersionController.java file.