OS Command Injection Vulnerability in SonicCloudOrg Sonic-Agent up to 2.7.2
CVE-2026-15495
Key Information:
- Vendor
Soniccloudorg
- Status
- Vendor
- CVE Published:
- 12 July 2026
Badges
What is CVE-2026-15495?
A remote OS command injection vulnerability exists in the Android WebSocket Server component of SonicCloudOrg's sonic-agent, affecting versions up to 2.7.2. The flaw resides in the AndroidWSServer.java file, where improper handling of the argument path enables an attacker to execute arbitrary commands on the server. This risk is especially pronounced for products that are no longer supported, as public exploits are already available. Despite early notifications to the vendor regarding this issue, no response was received.
Affected Version(s)
sonic-agent 2.7.0
sonic-agent 2.7.1
sonic-agent 2.7.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
