A critical remote command injection vulnerability has been identified in the Sangfor Operation and Maintenance Management System. This flaw allows an unauthenticated remote attacker to execute arbitrary commands on the server by manipulating a specific function, leading to a complete system compromise, potential data theft, and unauthorized access to the managed network environment.

The vulnerability is an OS command injection flaw within the WriterHandle.getCmd function, accessible via the /isomp-protocol/protocol/getCmd endpoint. A remote attacker can send a specially crafted request manipulating the sessionPath argument. The application fails to properly sanitize this input before using it in a system command, allowing the attacker to inject and execute arbitrary operating system commands with the privileges of the web application user.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the Sangfor Operation and Maintenance Management System, a highly privileged component within an IT infrastructure. An attacker could exfiltrate sensitive configuration data, disrupt critical operations, install malware or ransomware, and use the compromised system as a pivot point for lateral movement into the broader corporate network, posing a significant risk to organizational security and continuity.

Immediate Action: Immediately update the Sangfor Operation and Maintenance Management System to the latest version provided by the vendor (a version later than 3.0.8). After patching, thoroughly review system and access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Actively monitor web server access logs for requests to the /isomp-protocol/protocol/getCmd endpoint. Scrutinize requests where the sessionPath parameter contains shell metacharacters such as |, &, ;, $(), or backticks (`). Monitor the affected system for unexpected running processes, unauthorized outbound network connections, or newly created files in system directories.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules to inspect and block malicious requests targeting the vulnerable endpoint and parameter. Restrict network access to the management interface, allowing connections only from trusted IP addresses or management networks. Enhance egress filtering to prevent the server from making unauthorized outbound connections, which could block command-and-control communication.

Public Exploit Available: true

Given the critical CVSS score of 9.8, the remote and unauthenticated nature of the exploit, and the public availability of exploit code, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all affected Sangfor Operation and Maintenance Management Systems be patched immediately. If a patch is not yet available, the compensating controls listed above, particularly the use of a WAF and strict network access controls, must be implemented as an urgent priority. Organizations should also initiate threat hunting activities to search for evidence of past or current compromise.