CVE-2026-15497

SonicCloudOrg · sonic-agent

An unauthenticated code injection vulnerability exists in the JWT Authentication Filter of the SonicCloudOrg sonic-agent, affecting versions up to 2.7.2.

Executive summary

An unauthenticated code injection vulnerability in the SonicCloudOrg sonic-agent allows for potential remote code execution on affected systems.

Vulnerability

The vulnerability is a code injection flaw (CWE-94) residing in the JWT Authentication Filter. It is exploitable by unauthenticated remote attackers with low complexity.

Business impact

This vulnerability carries a CVSS score of 7.3 and presents a High severity risk. Code injection vulnerabilities are critical as they can lead to full system compromise, unauthorized command execution, and complete loss of confidentiality, integrity, and availability. Note that this software is no longer supported by the maintainer, meaning users are unlikely to receive an official patch.

Remediation

Immediate Action: Given the lack of vendor support, migrate away from the affected software to a supported alternative. If immediate migration is impossible, isolate the affected instance from the network.

Proactive Monitoring: Monitor for unexpected child processes or abnormal execution patterns stemming from the agent service.

Compensating Controls: Use network micro-segmentation to restrict the agent's communication to authorized endpoints only and apply strict egress filtering to prevent reverse shell activity.

Exploitation status

Public Exploit Available: Yes (GitHub PoC exists)

Analyst recommendation

The presence of a public proof-of-concept combined with the status of the software as "unsupported" makes this a critical security debt. Organizations must prioritize replacing the sonic-agent immediately to eliminate the risk of exploitation, as no vendor-provided remediation will be forthcoming.