CVE-2025-15500

Name of the Vulnerable Software and Affected Versions Sangfor Operation and Maintenance Management System versions up to 3.0.8

Description A flaw exists in the HTTP POST Request Handler component of the software, specifically in the processing of the /isomp-protocol/protocol/getHis file. Manipulation of the sessionPath argument can lead to operating system command injection. The attack can be initiated remotely. The exploit for this issue has been publicly released. The vendor was notified of this issue but did not provide a response.

Recommendations Versions up to 3.0.8 should be updated when a fix becomes available. As a temporary workaround, consider restricting access to the /isomp-protocol/protocol/getHis endpoint. Avoid using the sessionPath parameter in the affected API endpoint until the issue is resolved.