CVE-2026-15495
Received Received - Intake

OS Command Injection in SonicCloudOrg Sonic-Agent

Vulnerability report for CVE-2026-15495, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2. The affected element is an unknown function of the file AndroidWSServer.java of the component Android WebSocket Server. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
soniccloudorg sonic-agent to 2.7.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15495 is a vulnerability in the Sonic Cloud Platform's sonic-agent component (version up to 2.7.2) that allows remote attackers to execute arbitrary operating system commands. This happens because the argument 'path' in the pullFile functionality is not properly sanitized and is directly used in an ADB shell command, enabling OS command injection.

The vulnerability involves two main issues: an authentication bypass due to weak secretKey exposure and token validation in the WebSocket endpoint, and a command injection flaw where malicious commands can be injected via the path parameter. Attackers can exploit this to gain remote code execution as root on the agent host.

Impact Analysis

This vulnerability can have severe impacts including full system compromise. An attacker can remotely execute arbitrary commands as root on the affected device, leading to unauthorized control over the system.

  • Arbitrary code execution as root on the agent host.
  • Data exfiltration by writing command outputs to files and retrieving them.
  • Complete device control and potential lateral movement within internal networks.
Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection via the pullFile functionality of the Sonic Cloud Platform's sonic-agent component. The proof-of-concept (PoC) exploit script interacts with the Sonic server to log in, list agents and devices, and establish a WebSocket connection to the agent. It then injects commands into the pullFile parameter to execute arbitrary OS commands.

To detect the vulnerability, you can use the PoC Python script from Resource 1 which provides an interactive shell to execute commands remotely on the target system. This script targets the /server/api/controller endpoint and requires the target to be running a vulnerable version of sonic-agent.

Suggested commands include using the PoC to inject simple OS commands such as 'id' or 'whoami' via the pullFile parameter to verify if command execution is possible. The script automates this process, but manual testing could involve sending crafted WebSocket messages with injected commands in the path argument.

Mitigation Strategies

Immediate mitigation steps include restricting access to the sonic-agent service to trusted users and networks, since the vulnerability allows remote command execution due to authentication bypass and command injection.

Additional steps involve disabling or isolating the vulnerable sonic-agent component if possible, especially since the affected products are no longer supported by the maintainer.

Longer-term mitigations recommended by the vendor or community include applying strict path validation, removing shell interpretation from command execution, enhancing secretKey and token validation, and running the agent as a non-root user to limit impact.

Compliance Impact

The vulnerability in SonicCloudOrg sonic-agent allows remote attackers to execute arbitrary OS commands as root, potentially leading to full system compromise, data exfiltration, and unauthorized device control.

Such unauthorized access and data breaches could result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data against unauthorized access and disclosure.

However, the provided information does not explicitly discuss the impact on compliance with these standards or any regulatory implications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15495. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart