A critical vulnerability has been identified in the Sangfor Operation and Maintenance Management System, allowing a remote attacker to execute arbitrary commands and gain complete control of the affected system. Due to the public availability of an exploit and the lack of a vendor response, this flaw poses a severe and immediate risk to the confidentiality, integrity, and availability of the organization's network infrastructure managed by this product.

The vulnerability is a critical OS command injection flaw located in the HTTP POST Request Handler component. A remote, unauthenticated attacker can send a specially crafted HTTP POST request to the /isomp-protocol/protocol/getHis endpoint. By manipulating the sessionPath argument within the request to include operating system commands, the attacker can force the application to execute them with the privileges of the system's user account, leading to a full system compromise.

This vulnerability carries a critical severity rating with a CVSS score of 9.8. Successful exploitation grants an attacker complete control over the Sangfor management system, which is a trusted and privileged component of the network. This could lead to severe consequences, including theft of sensitive credentials and configuration data, deployment of ransomware, lateral movement to other critical systems within the network, and complete disruption of IT operations. The system could be used as a persistent foothold for further attacks against the organization, posing a direct and high-impact risk to business continuity and data security.

Immediate Action: The primary remediation step is to update the Sangfor Operation and Maintenance Management System to the latest version provided by the vendor which addresses this vulnerability. If a patched version is not yet available, organizations should immediately begin monitoring for exploitation attempts and reviewing access logs for indicators of compromise.

Proactive Monitoring: Security teams should actively monitor web server logs for any HTTP POST requests to the /isomp-protocol/protocol/getHis endpoint. Specifically, inspect the sessionPath parameter for suspicious content, such as shell metacharacters (e.g., |, ;, &&, $(), `). Monitor for unexpected outbound network connections, new processes, or command-line activity originating from the Sangfor appliance.

Compensating Controls: If immediate patching is not possible, implement the following controls to mitigate risk:

• Use a firewall or network access control lists (ACLs) to restrict access to the device's management interface to only trusted IP addresses and dedicated administrative networks.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block OS command injection attempts targeting the sessionPath parameter in requests to the vulnerable endpoint.

Public Exploit Available: true

Given the critical 9.8 CVSS score, the remote nature of the attack, and the confirmed availability of a public exploit, this vulnerability requires immediate attention. We strongly recommend that organizations identify all vulnerable Sangfor Operation and Maintenance Management Systems and apply the necessary patches or mitigating controls without delay. Although this CVE is not currently listed in the CISA KEV catalog, its characteristics make it a high-priority candidate for remediation to prevent a potentially devastating system compromise.