New SonicBoom Attack Allows Bypass of Authentication for Admin Access
A critical new attack chain, dubbed “SonicBoom,” that enables remote attackers to bypass authentication and seize administrative control over enterprise appliances, including SonicWall Secure Mobile Access (SMA) and Commvault backup solutions.
This sophisticated multi-stage exploit leverages a combination of pre-authentication vulnerabilities, arbitrary file write, and server-side request forgery (SSRF) to achieve full system compromise.
The SonicBoom Attack Chain
According to watchTowr reports, the SonicBoom chain exploits flaws in the authentication and file handling mechanisms of targeted appliances. The process typically unfolds in several stages:
Stage 1: Authentication Bypass via Exposed Endpoints
Attackers first identify endpoints that are excluded from authentication checks. For example, in Commvault’s on-premise edition, the authSkipRules.xml file lists over 50 endpoints (such as deployWebpackage.do and deployServiceCommcell.do) that can be accessed without valid credentials.
This allows unauthenticated users to interact with sensitive backend functions directly.
Stage 2: Server-Side Request Forgery (SSRF) and Arbitrary File Write
By sending crafted POST requests to endpoints like /commandcenter/deployWebpackage.do, attackers can manipulate parameters such as commcellName and servicePack to coerce the appliance into fetching files from attacker-controlled servers.
The vulnerable code concatenates these parameters into URLs and file paths without proper sanitization, enabling SSRF and path traversal attacks.
The appliance downloads a ZIP file from the attacker’s server, then writes and extracts its contents into directories accessible by the web server. This ZIP typically contains a malicious .jsp web shell.
Stage 3: Remote Code Execution (RCE) and Admin Access
Once the malicious file is in place, the attacker can trigger it via a direct HTTP request, achieving remote code execution as the privileged service account.
This grants full administrative access, allowing the attacker to install programs, exfiltrate data, or further pivot within the network.
The root cause lies in insufficient input validation and improper authentication enforcement. In Commvault, for example, the vulnerable Java method is:
The attack is further facilitated by path traversal in the servicePack parameter, enabling writes to unintended directories.
Affected Systems & Remediation
Commvault: Versions 11.38.0 to 11.38.19 are vulnerable; patched in 11.38.20 and above.
SonicWall SMA: Multiple CVEs, including CVE-2025-23006 and CVE-2024-38475, have been exploited in the wild, allowing pre-authentication remote code execution and admin takeover.
Vendors have released patches for affected versions. Organizations are urged to:
- Update all appliances to the latest versions immediately.
- Audit for unauthorized files or suspicious admin sessions.
- Monitor logs for exploitation attempts on known vulnerable endpoints.
The SonicBoom attack chain exemplifies the risks posed by overlooked authentication gaps and insecure file handling in enterprise appliances. With active exploitation reported, immediate remediation is critical to prevent catastrophic breaches and data loss.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link