SonicWall SMA1000 Zero-Days Exploited to Steal Credentials and Breach Networks
Attackers are actively exploiting two SonicWall SMA1000 zero-day vulnerabilities to execute commands, steal credentials, and move from compromised remote access appliances into corporate networks.
The flaws, tracked as CVE-2026-15409 and CVE-2026-15410, affect SonicWall SMA1000 Series models 6210, 7210, and 8200v. The SonicWall security advisory urges customers to install the available platform hotfixes immediately.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Organizations should not stop after installing the update. Investigations found attackers stealing passwords, session databases, and time-based one-time password seeds from compromised appliances. Customers must therefore check for evidence of an earlier breach.
One critical flaw and one high-severity vulnerability
CVE-2026-15409 is a critical server-side request forgery vulnerability in the SMA1000 WorkPlace interface. It carries the maximum CVSS score of 10.0 and allows remote exploitation without authentication or user interaction.
The flaw affects a WebSocket proxy feature available through the /wsproxy path. An attacker can manipulate its host and port parameters to make an internet-facing appliance connect to services that should only accept requests from the local system.
CVE-2026-15410 is a high-severity code injection vulnerability in the Appliance Management Console. SonicWall assigned it a CVSS score of 7.2. It can allow an attacker with access to a local management service to execute operating system commands with root privileges.
| Vulnerability | Severity | Affected component | Potential result |
|---|---|---|---|
| CVE-2026-15409 | Critical, CVSS 10.0 | SMA1000 WorkPlace interface | Unauthenticated access to local appliance services |
| CVE-2026-15410 | High, CVSS 7.2 | Appliance Management Console | Operating system command execution as root |
Attackers chain the two SonicWall vulnerabilities
The vulnerabilities become especially dangerous when attackers combine them. The first flaw provides access to services listening only on the applianceโs localhost interface. The second can then elevate that access to root command execution.
According to Rapid7โs investigation, CVE-2026-15409 can open a WebSocket tunnel to arbitrary local services. Researchers demonstrated access to an Erlang service on port 1050 and the ctrl-service application on port 8188.
CVE-2026-15410 involves path traversal in the remove_hotfix function. An attacker who stages a malicious script can manipulate a hotfix removal request, causing the system to mark the script as executable and run it as root.
- The attacker connects to the internet-facing /wsproxy endpoint.
- CVE-2026-15409 tunnels traffic to a localhost-only service.
- The attacker gains code execution on the appliance.
- CVE-2026-15410 abuses the hotfix removal process.
- A malicious script runs with root privileges.
- The attacker steals credentials and attempts to enter the internal network.
Targeted attacks began before public disclosure
Rapid7 detected targeted exploitation of internet-facing SMA1000 appliances before SonicWall publicly disclosed the vulnerabilities on July 14, 2026. This makes both issues zero-days because attackers used them before fixes and public details became available.
The attackers treated the compromised appliances as stealthy entry points. Since these systems provide remote access to internal resources, they may contain valuable authentication data and trusted connections.
Investigators observed attackers collecting several types of sensitive information:
- User and administrator credentials
- Active session databases
- TOTP multi-factor authentication seed configurations
- LDAP service account credentials
- Information needed to maintain access after patching
Compromised appliances became internal backdoors
After stealing authentication material, the attackers moved from affected appliances into internal corporate networks. Rapid7 identified unusual Active Directory logins sent directly from the appliancesโ internal IP addresses.
These authentication attempts did not correspond with active VPN sessions. Some used attacker-controlled workstation names, including โkali,โ instead of names assigned to legitimate corporate computers.
This activity indicated that attackers had fully compromised the appliances and were using them as unmonitored backdoors. Traditional endpoint monitoring may not detect this behavior because a network appliance does not run the same security software as employee workstations and servers.
Which SonicWall products and versions are affected?
The vulnerabilities affect physical SMA6210 and SMA7210 appliances, along with the virtual SMA8200v model. Several platform-hotfix releases in the 12.4.3 and 12.5.0 branches remain vulnerable.
| Product | Affected platform-hotfix versions | Fixed version |
|---|---|---|
| SMA1000 Series 6210, 7210, and 8200v | 12.4.3-03245, 12.4.3-03387, 12.4.3-03434 | 12.4.3-03453 or later |
| SMA1000 Series 6210, 7210, and 8200v | 12.5.0-02283, 12.5.0-02624, 12.5.0-02800 | 12.5.0-02835 or later |
The vulnerabilities do not affect SSL VPN functionality on SonicWall firewall products. They also do not affect appliances in the separate SMA 100 Series product line.
Customers can obtain the patched platform hotfixes through the MySonicWall portal. The SonicWall advisory provides the latest product and remediation information.
CISA adds both vulnerabilities to its exploited flaws catalog
The US Cybersecurity and Infrastructure Security Agency added CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities catalog.
Inclusion in the catalog confirms that reliable evidence of real-world exploitation exists. US federal civilian agencies must remediate cataloged vulnerabilities by the deadline assigned by CISA, while private organizations should also treat them as urgent priorities.
Public exploit code for CVE-2026-15409 has also become available. This increases the chance that more attackers will scan for unpatched internet-facing systems, even if they did not participate in the original campaign.
Indicators of SonicWall SMA1000 exploitation
Security teams should review web access logs, appliance management logs, configuration files, and authentication activity. Suspicious /wsproxy requests with localhost addresses or unusual host parameters may indicate exploitation of CVE-2026-15409.
Rapid7 identified requests containing host values such as localhost or ::ffff:127.0.0.1. Requests that include /wsproxy, an unusual negative bmID value, and an HTTP 101 response deserve particular attention.
The following activity may indicate attempted or successful exploitation:
- Requests to /wsproxy with suspicious host values returning HTTP 101
- extraweb_access.log entries involving /__api__/login or /__api__/logout returning HTTP 200
- ctrl-service.log entries invoking remove_hotfix with path traversal sequences
- Unexpected /__api__/login or /__api__/logout routes in /var/lib/unit/conf.json
- Requests for temporary session database files such as /tmp/temp.db
- Repeated requests to /auth1.html or common sensitive paths
- Windows Event ID 4624 logons from the appliance without a corresponding VPN session
- Workstation names such as KALI or unknown DESKTOP identifiers
Patching alone may not remove the attackers
Organizations running affected versions should install platform-hotfix 12.4.3-03453 or 12.5.0-02835 immediately. SonicWall has not provided a workaround, so administrators cannot safely mitigate the vulnerabilities through a configuration change alone.
Applying the patch prevents further exploitation of the vulnerabilities, but it does not remove malicious changes or invalidate data stolen before the update. Administrators must investigate whether the appliance experienced exploitation while vulnerable.
The updated Rapid7 threat analysis recommends treating an appliance as compromised when any published indicator appears.
What to do if compromise is detected
SonicWall recommends re-imaging affected physical appliances or redeploying virtual appliances when investigators find evidence of a breach. Rebuilding from a trusted image helps remove unauthorized changes and persistence mechanisms.
Organizations should reset all user and administrator passwords associated with the appliance. They should also rotate LDAP service account credentials and other secrets that the appliance could access.
TOTP tokens require special attention because attackers reportedly stole their seed configurations. Resetting only a userโs password will not invalidate a copied TOTP seed, so administrators must re-enroll affected multi-factor authentication tokens.
- Disconnect or restrict access to the affected appliance.
- Preserve logs and configuration files for investigation.
- Install the latest supported platform hotfix.
- Re-image physical appliances or redeploy virtual appliances if compromise appears likely.
- Reset user, administrator, LDAP, and service account passwords.
- Revoke active sessions and reset TOTP tokens.
- Review domain controllers for logins originating from the appliance.
- Monitor the CISA exploited vulnerabilities catalog and SonicWall guidance for updates.
FAQ
CVE-2026-15409 is a critical unauthenticated SSRF vulnerability in the SonicWall SMA1000 WorkPlace interface. CVE-2026-15410 is a high-severity code injection flaw that can allow root command execution when attackers reach an affected local service.
Yes. SonicWall and Rapid7 confirmed active exploitation of both vulnerabilities. Attackers used them before public disclosure, making them zero-day vulnerabilities.
The flaws affect SonicWall SMA1000 Series models 6210, 7210, and 8200v running specified platform-hotfix versions in the 12.4.3 and 12.5.0 branches. SonicWall firewalls and SMA 100 Series appliances are not affected.
Customers should install platform-hotfix version 12.4.3-03453 or later for the 12.4.3 branch, or version 12.5.0-02835 or later for the 12.5.0 branch.
Administrators should search for compromise indicators, review authentication activity, reset passwords, revoke active sessions, and reset TOTP tokens. They should re-image physical appliances or redeploy virtual appliances if they find evidence of exploitation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages