What is the CVSS score of CVE-2025-15499?

CVE-2025-15499 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Java are affected by CVE-2025-15499?

Organizations using Sangfor Operation and Maintenance Management System face significant risk from CVE-2025-15499, a command injection vulnerability rated CVSS 8.8.

Is there a public PoC exploit available for CVE-2025-15499?

Yes, a public proof-of-concept exploit is available for CVE-2025-15499. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-15499?

Within 7 days: Identify all affected systems running Sangfor Operation and Maintenance Management System and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Java CVE-2025-15499

HIGH

Command Injection (CWE-77)

2026-01-09 cna@vuldb.com

Java Command Injection Operation And Maintenance Management System

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 22, 2026 - 21:46 vuln.today

Public exploit code

CVE Published

Jan 09, 2026 - 22:15 nvd

HIGH 8.8

DescriptionCVE.org

A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Operation And Maintenance Management System versions up to 3.0.8. is affected by command injection (CVSS 8.8).

Technical ContextAI

This vulnerability (CWE-77: Command Injection) affects Operation And Maintenance Management System. has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2025-15499 vulnerability details – vuln.today

Back

Java CVE-2025-15499

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code