A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT Authentication Filter. This manipulation causes code injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
Security readout for executives and security teams
Plain-English summary
CVE-2026-15497 is a remotely reachable code injection issue reported in SonicCloudOrg sonic-agent/SonicServer versions 2.7.0 through 2.7.2. Public sources say exploit material has been disclosed. The vendor reportedly did not respond, and the affected product line is no longer supported.
Executive priority
Treat as high priority if SonicCloudOrg sonic-agent/SonicServer is deployed. Unsupported status and public exploit disclosure reduce options and increase urgency. Prioritize inventory, exposure reduction, and replacement planning.
Technical view
The issue is reported in ExchangeController.java within the JWT Authentication Filter component. VulDB classifies it as CWE-74/CWE-94 code injection, remotely exploitable without authentication under CVSS v2 AV:N/AC:L/Au:N. Affected versions listed are sonic-agent 2.7.0, 2.7.1, and 2.7.2.
Likely exposure
Organizations running SonicCloudOrg sonic-agent or SonicServer 2.7.0 through 2.7.2 are potentially exposed, especially if the service is reachable from untrusted networks. The sources state the affected products are no longer supported by the maintainer.
Exploitation context
Public exploit information is referenced, but CISA KEV status is false in the provided bundle. That supports elevated risk from disclosure, not confirmed active exploitation. No safe exploit details are included here.
Researcher notes
Evidence is primarily third-party VulDB reporting and a public GitHub reference. The CVE description says vendor contact received no response. No official vendor advisory or patch is identified in the provided sources.
Mitigation direction
Identify and retire affected sonic-agent/SonicServer 2.7.0-2.7.2 deployments.
Check SonicCloudOrg or project guidance for any successor version or migration path.
Restrict network access to trusted administrative or internal networks only.
Disable affected services if they are not business-critical.
Increase monitoring for suspicious requests to the affected controller paths.
Validation and detection
Inventory deployed SonicCloudOrg sonic-agent and SonicServer versions.
Confirm whether versions 2.7.0, 2.7.1, or 2.7.2 are present.
Review internet-facing exposure for the Sonic service.
Check logs for anomalous ExchangeController or JWT filter activity.
Review VulDB CTI indicators if available to your team.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-74: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
4CVSS vectors
6Timeline events
0ADP providers
6Source links
CVSS vector scores
4 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-74 · source CWE mapping
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.