A newly identified attack sequence, termed SonicBoom, poses a significant threat by allowing remote attackers to circumvent authentication protocols and gain administrative control over enterprise appliances, notably SonicWall Secure Mobile Access (SMA) devices and Commvault backup solutions. This sophisticated, multi-stage exploit combines pre-authentication vulnerabilities, arbitrary file writing capabilities, and server-side request forgery (SSRF) to achieve full system compromise.
Understanding the SonicBoom Attack Chain
The SonicBoom exploit capitalizes on flaws within the authentication and file handling mechanisms of targeted appliances. The attack unfolds through several critical stages:
Stage 1: Exploiting Authentication Bypass via Exposed Endpoints
Attackers begin by identifying endpoints that are exempt from authentication checks. For instance, in Commvault’s on-premise edition, the `authSkipRules.xml` file lists over 50 such endpoints, including `deployWebpackage.do` and `deployServiceCommcell.do`, which can be accessed without valid credentials. This oversight allows unauthenticated users to interact directly with sensitive backend functions.
Stage 2: Leveraging SSRF and Arbitrary File Write
By sending crafted POST requests to endpoints like `/commandcenter/deployWebpackage.do`, attackers manipulate parameters such as `commcellName` and `servicePack` to coerce the appliance into fetching files from attacker-controlled servers. The vulnerable code concatenates these parameters into URLs and file paths without proper sanitization, enabling SSRF and path traversal attacks.
Consequently, the appliance downloads a ZIP file from the attacker’s server and extracts its contents into directories accessible by the web server. This ZIP typically contains a malicious `.jsp` web shell, setting the stage for further exploitation.
Stage 3: Achieving Remote Code Execution and Administrative Access
Once the malicious file is in place, the attacker can trigger it via a direct HTTP request, achieving remote code execution as the privileged service account. This access grants full administrative control, allowing the attacker to install programs, exfiltrate data, or further pivot within the network.
The root cause of this vulnerability lies in insufficient input validation and improper enforcement of authentication protocols. In Commvault, for example, the vulnerable Java method processes user input without adequate sanitization, facilitating the attack. Additionally, the path traversal in the `servicePack` parameter enables writes to unintended directories, exacerbating the risk.
Affected Systems and Recommended Remediation
The SonicBoom attack chain affects multiple systems:
– Commvault: Versions 11.38.0 to 11.38.19 are vulnerable. The issue has been addressed in version 11.38.20 and subsequent releases.
– SonicWall SMA: Multiple CVEs, including CVE-2025-23006 and CVE-2024-38475, have been exploited in the wild, allowing pre-authentication remote code execution and administrative takeover.
Vendors have released patches for the affected versions. Organizations are strongly urged to:
1. Update Appliances Promptly: Ensure all devices are updated to the latest firmware versions to mitigate known vulnerabilities.
2. Conduct Security Audits: Regularly audit systems for unauthorized files or suspicious administrative sessions that may indicate compromise.
3. Monitor Logs Vigilantly: Keep a close watch on logs for any signs of exploitation attempts targeting known vulnerable endpoints.
The SonicBoom attack chain underscores the critical importance of robust authentication mechanisms and secure file handling practices in enterprise appliances. With active exploitation reported, immediate remediation is essential to prevent potential breaches and data loss.
