| tiêu đề | SonicCloudOrg SonicServer 2.7.2 Code Injection |
|---|
| Mô tả | The POST /exchange/send endpoint in sonic-server-controller is annotated with @WhiteUrl, which causes the platform's JWT authentication filter to unconditionally skip authentication for this endpoint. Any unauthenticated attacker can POST arbitrary JSON payloads to this endpoint, which are forwarded verbatim into the internal Transport WebSocket channel shared between the server and all connected Agents.
This allows an attacker to inject any internal protocol message — including runStep (triggering test execution), stopStep, or device control commands — without possessing any credentials.
When chained with V-S002 (Groovy unsandboxed execution), this vulnerability enables zero-authentication remote code execution on every Agent host managed by the Sonic Server. |
|---|
| Nguồn | ⚠️ https://github.com/xpp3901/CVE_APPLY/blob/main/V-S001_SonicCloudPlatform_Unauth_ExchangeSend |
|---|
| Người dùng | xpp39 (UID 97299) |
|---|
| Đệ trình | 01/06/2026 05:30 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 11/07/2026 14:24 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 377804 [SonicCloudOrg sonic-agent đến 2.7.2 JWT Authentication Filter ExchangeController.java nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|