{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/soniccloudorg/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-15497"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["sonic-agent \u003c= 2.7.2"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":["SonicCloudOrg"],"content_html":"\u003cp\u003eA significant code injection vulnerability, tracked as CVE-2026-15497, has been identified in SonicCloudOrg's \u003ccode\u003esonic-agent\u003c/code\u003e software, specifically impacting versions up to 2.7.2. This critical flaw resides within an unspecified function of the \u003ccode\u003eExchangeController.java\u003c/code\u003e file, part of the \u003ccode\u003esonic-server-controller\u003c/code\u003e component's JWT Authentication Filter. Attackers can remotely exploit this vulnerability to inject and execute arbitrary code, leading to complete system compromise. The exploit has been publicly disclosed, increasing the risk of widespread attacks. Compounding the severity, the vendor, SonicCloudOrg, has not responded to the disclosure and no longer supports the affected product versions, leaving organizations with unpatched instances highly exposed. Defenders should prioritize detecting and mitigating exploitation attempts, as unsupported software presents a persistent security risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies a SonicCloudOrg \u003ccode\u003esonic-agent\u003c/code\u003e instance running a vulnerable version (up to 2.7.2) accessible via a public-facing interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request designed to interact with the vulnerable \u003ccode\u003eExchangeController.java\u003c/code\u003e endpoint, specifically targeting its JWT Authentication Filter component.\u003c/li\u003e\n\u003cli\u003eThis request contains specially crafted input, often within the JWT token or associated request parameters, which leverages the code injection flaw (CVE-2026-15497).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u0026quot;unknown function\u0026quot; in the \u003ccode\u003eExchangeController.java\u003c/code\u003e file processes the malicious input without proper sanitization, leading to the injection and execution of attacker-supplied code.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation grants the attacker remote code execution capabilities on the underlying server hosting the \u003ccode\u003esonic-agent\u003c/code\u003e, allowing them to run arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker can then proceed with various post-exploitation activities, including data exfiltration, establishing persistence, or lateral movement within the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15497 leads to remote code execution (RCE) on the server running the vulnerable SonicCloudOrg \u003ccode\u003esonic-agent\u003c/code\u003e. This can result in complete compromise of the affected system, allowing attackers to steal sensitive data, deploy malware (such as ransomware or cryptominers), or use the compromised system as a pivot point for further attacks on the internal network. Given that the exploit has been publicly disclosed and the affected product versions are no longer supported by the vendor, organizations using these versions face an elevated and persistent risk of severe security breaches and operational disruption. The vulnerability affects instances deployed on Windows, Linux, and macOS platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade SonicCloudOrg \u003ccode\u003esonic-agent\u003c/code\u003e to a supported version that patches CVE-2026-15497. If upgrading is not possible, isolate or decommission affected systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-15497 Exploitation - SonicCloudOrg sonic-agent Code Injection\u0026quot; to your SIEM to identify and alert on potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging, including full URI, query parameters, and request body (if feasible and legally permissible), to capture artifacts relevant to CVE-2026-15497 exploitation.\u003c/li\u003e\n\u003cli\u003eReview network egress logs for connections originating from \u003ccode\u003esonic-agent\u003c/code\u003e hosts to unusual external IP addresses or domains, as these could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:19:35Z","date_published":"2026-07-12T12:19:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sonicagent-code-injection/","summary":"A critical vulnerability (CVE-2026-15497) exists in SonicCloudOrg's sonic-agent, affecting versions up to 2.7.2. The flaw resides within an unknown function in the `ExchangeController.java` file, specifically within the JWT Authentication Filter component of the `sonic-server-controller`. This vulnerability allows for remote code injection, and public exploits are available. The vendor was notified but has not responded, and the affected products are no longer supported.","title":"SonicCloudOrg Sonic-Agent Code Injection Vulnerability (CVE-2026-15497)","url":"https://feed.craftedsignal.io/briefs/2026-07-sonicagent-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - SonicCloudOrg","version":"https://jsonfeed.org/version/1.1"}