XML External Entity Injection in Sangfor Behavior Management System
CVE-2023-7307

8.7HIGH

Key Information:

Vendor: Sangfor Technologies Co. Ltd.
Status: Sangfor Behavior Management System (dc Management System)
Vendor: CVE Published:; 27 August 2025

🔔 Create Sangfor Technologies Co. Ltd. Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-7307?

The Sangfor Behavior Management System, also known as the DC Management System, is susceptible to an XML external entity (XXE) injection vulnerability found at the /src/sangforindex endpoint. This allows a remote and unauthenticated attacker to exploit the system by submitting specially crafted XML data containing external entity definitions. The improper configuration of the XML parser enables the resolution of external entities without restrictions, posing significant risks such as the disclosure of internal files, potential server-side request forgery (SSRF), and varying impacts dictated by the parser’s behavior. This vulnerability highlights the need for stringent security measures, especially as the Behavior Management System integrates with the IAM (Internet Access Management) platform.

Affected Version(s)

Sangfor Behavior Management System (DC Management System) *

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-7307 - Proof of Concept