CVE-2025-15502 | Sangfor Operation and Maintenance Management System up to 3.0.8 session SessionController Hostname os command injection

A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. It has been declared as critical. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection.

This vulnerability is documented as CVE-2025-15502. The attack can be executed remotely. Additionally, an exploit exists.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-15502 | Sangfor Operation and Maintenance Management System up to 3.0.8 session SessionController Hostname os command injection

Post correlati

CVE-2025-64700 | GROWI up to 7.3.3 cross-site request forgery

CVE-2024-44383 | WAYOS FBM-291W 19.09.11 msp_info_htm Privilege Escalation

CVE-2024-6891 | Journyx jtime 11.5.4 Login Flow code injection

CVE-2024-50581 | JetBrains YouTrack up to 2024.3.47197 Comment Tag cross site scripting