CVE-2026-15497
Received Received - Intake

Code Injection in SonicCloudOrg Sonic-Agent

Vulnerability report for CVE-2026-15497, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT Authentication Filter. This manipulation causes code injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
soniccloudorg sonic-agent to 2.7.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated remote code execution and unauthorized control over Sonic Cloud Platform agents, potentially leading to unauthorized access, data exfiltration, and manipulation of internal systems.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

Because the vulnerability enables attackers to execute arbitrary commands and exfiltrate data without authentication, affected organizations may face risks related to data confidentiality, integrity, and availability, which are core requirements in these regulations.

Executive Summary

CVE-2026-15497 is a critical unauthenticated command injection vulnerability in the Sonic Cloud Platform's sonic-server-controller component, affecting versions up to 2.7.2. The flaw exists in the /exchange/send endpoint, which bypasses JWT authentication due to the presence of the @WhiteUrl annotation. This allows unauthenticated attackers to send arbitrary JSON payloads to connected Agents via a Transport WebSocket channel.

Attackers can inject internal protocol messages such as runStep, which can execute arbitrary Groovy code on Agent hosts when combined with another unsandboxed execution vulnerability. This results in zero-authentication remote code execution with root privileges.

Attackers can enumerate Agent IDs through the open registration system and then send malicious payloads to control devices, execute operating system commands, exfiltrate data, or pivot to internal networks.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution as root on affected systems without any authentication.

Attackers can gain full control over devices running the vulnerable Sonic Cloud Platform, execute arbitrary OS commands, exfiltrate sensitive data, and move laterally within internal networks.

Because the vulnerability allows unauthenticated access, it significantly increases the risk of compromise, especially for publicly exposed Sonic instances.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unusual access attempts to the `/exchange/send` endpoint on Sonic Cloud Platform instances up to version 2.7.2.

Since the vulnerability allows unauthenticated attackers to send arbitrary JSON payloads via a WebSocket channel, detection can involve inspecting network traffic for suspicious JSON messages targeting this endpoint.

Commands to detect exploitation attempts might include using network monitoring tools like tcpdump or Wireshark to filter traffic to the `/exchange/send` endpoint, or using web server logs to identify requests with the `@WhiteUrl` annotation bypass.

  • Use tcpdump to capture traffic on the relevant port and filter for WebSocket upgrade requests or JSON payloads targeting `/exchange/send`.
  • Example tcpdump command: `tcpdump -i eth0 -A -s 0 'tcp port 80 or tcp port 443' | grep '/exchange/send'`
  • Check web server or application logs for unauthenticated access attempts to `/exchange/send`.
  • Use tools like FOFA or Shodan to identify publicly exposed Sonic instances that might be vulnerable.
Mitigation Strategies

Immediate mitigation steps include removing the `@WhiteUrl` annotation from the `/exchange/send` endpoint to prevent unauthenticated access.

Enforce role-based authorization so that only ADMIN users can access this endpoint.

Implement validation of message types sent to the endpoint to prevent injection of malicious payloads.

Apply rate-limiting and logging on the `/exchange/send` endpoint to detect and block suspicious activity.

Since the affected products are no longer supported, consider isolating or decommissioning vulnerable Sonic Cloud Platform instances to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart