CVE-2015-9246

Vulnerability

The Skybox Platform prior to version 7.5.201 contained an unauthenticated remote code execution vulnerability in the /skyboxview-softwareupdate/services/CollectorSoftwareUpdate endpoint. An attacker could upload a crafted WAR archive containing a JSP file, which was then deployed to the JBoss server. The JSP file would become accessible at /opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost, allowing execution of arbitrary Java code on the server. No authentication or prior access was required.

Exploitation

An attacker with network access to the Skybox Platform could send a WAR file containing a malicious JSP file to the vulnerable endpoint /skyboxview-softwareupdate/services/CollectorSoftwareUpdate without any authentication. The WAR file is automatically deployed by the JBoss application server, and the JSP file becomes reachable. The attacker can then send HTTP requests to the deployed JSP file to execute arbitrary commands on the underlying operating system [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to achieve remote code execution with the privileges of the JBoss server process. This typically results in full compromise of the Skybox Platform server, including access to network configuration data, credentials, and the ability to pivot further into the internal network [1].

Mitigation

The vulnerability is fixed in Skybox Platform version 7.5.201 and later [1]. Users running any earlier version should upgrade immediately. No workarounds have been published. The product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the latest update.