| Title | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection |
|---|
| Description | A critical Remote Command Execution (RCE) vulnerability exists in the Sangfor Operation and Maintenance Security Management System (OSM) version 3.0.8. The vulnerability is located in the endpoint /isomp-protocol/protocol/session.
The application fails to properly sanitize user input in the HTTP POST request parameters when handling the SSH protocol. Code analysis reveals that the backend retrieves the keypassword parameter and directly concatenates it into a shell command string (specifically an ssh-keygen command). This string is subsequently executed by the system shell. |
|---|
| Source | ⚠️ https://github.com/LX-LX88/cve/issues/20 |
|---|
| User | LINXI666 (UID 91556) |
|---|
| Submission | 01/10/2026 04:08 (6 months ago) |
|---|
| Moderation | 01/22/2026 08:40 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 342300 [Sangfor Operation and Maintenance Management System up to 3.0.12 SSH Protocol session SessionController keypassword os command injection] |
|---|
| Points | 20 |
|---|