SonicWall SMA1000 Zero-Days Exploited to Steal Credentials and Breach Networks


Attackers are actively exploiting two SonicWall SMA1000 zero-day vulnerabilities to execute commands, steal credentials, and move from compromised remote access appliances into corporate networks.

The flaws, tracked as CVE-2026-15409 and CVE-2026-15410, affect SonicWall SMA1000 Series models 6210, 7210, and 8200v. The SonicWall security advisory urges customers to install the available platform hotfixes immediately.

Organizations should not stop after installing the update. Investigations found attackers stealing passwords, session databases, and time-based one-time password seeds from compromised appliances. Customers must therefore check for evidence of an earlier breach.

One critical flaw and one high-severity vulnerability

CVE-2026-15409 is a critical server-side request forgery vulnerability in the SMA1000 WorkPlace interface. It carries the maximum CVSS score of 10.0 and allows remote exploitation without authentication or user interaction.

The flaw affects a WebSocket proxy feature available through the /wsproxy path. An attacker can manipulate its host and port parameters to make an internet-facing appliance connect to services that should only accept requests from the local system.

CVE-2026-15410 is a high-severity code injection vulnerability in the Appliance Management Console. SonicWall assigned it a CVSS score of 7.2. It can allow an attacker with access to a local management service to execute operating system commands with root privileges.

VulnerabilitySeverityAffected componentPotential result
CVE-2026-15409Critical, CVSS 10.0SMA1000 WorkPlace interfaceUnauthenticated access to local appliance services
CVE-2026-15410High, CVSS 7.2Appliance Management ConsoleOperating system command execution as root

Attackers chain the two SonicWall vulnerabilities

The vulnerabilities become especially dangerous when attackers combine them. The first flaw provides access to services listening only on the applianceโ€™s localhost interface. The second can then elevate that access to root command execution.

According to Rapid7โ€™s investigation, CVE-2026-15409 can open a WebSocket tunnel to arbitrary local services. Researchers demonstrated access to an Erlang service on port 1050 and the ctrl-service application on port 8188.

CVE-2026-15410 involves path traversal in the remove_hotfix function. An attacker who stages a malicious script can manipulate a hotfix removal request, causing the system to mark the script as executable and run it as root.

  1. The attacker connects to the internet-facing /wsproxy endpoint.
  2. CVE-2026-15409 tunnels traffic to a localhost-only service.
  3. The attacker gains code execution on the appliance.
  4. CVE-2026-15410 abuses the hotfix removal process.
  5. A malicious script runs with root privileges.
  6. The attacker steals credentials and attempts to enter the internal network.

Targeted attacks began before public disclosure

Rapid7 detected targeted exploitation of internet-facing SMA1000 appliances before SonicWall publicly disclosed the vulnerabilities on July 14, 2026. This makes both issues zero-days because attackers used them before fixes and public details became available.

The attackers treated the compromised appliances as stealthy entry points. Since these systems provide remote access to internal resources, they may contain valuable authentication data and trusted connections.

Investigators observed attackers collecting several types of sensitive information:

  • User and administrator credentials
  • Active session databases
  • TOTP multi-factor authentication seed configurations
  • LDAP service account credentials
  • Information needed to maintain access after patching

Compromised appliances became internal backdoors

After stealing authentication material, the attackers moved from affected appliances into internal corporate networks. Rapid7 identified unusual Active Directory logins sent directly from the appliancesโ€™ internal IP addresses.

These authentication attempts did not correspond with active VPN sessions. Some used attacker-controlled workstation names, including โ€œkali,โ€ instead of names assigned to legitimate corporate computers.

This activity indicated that attackers had fully compromised the appliances and were using them as unmonitored backdoors. Traditional endpoint monitoring may not detect this behavior because a network appliance does not run the same security software as employee workstations and servers.

Which SonicWall products and versions are affected?

The vulnerabilities affect physical SMA6210 and SMA7210 appliances, along with the virtual SMA8200v model. Several platform-hotfix releases in the 12.4.3 and 12.5.0 branches remain vulnerable.

ProductAffected platform-hotfix versionsFixed version
SMA1000 Series 6210, 7210, and 8200v12.4.3-03245, 12.4.3-03387, 12.4.3-0343412.4.3-03453 or later
SMA1000 Series 6210, 7210, and 8200v12.5.0-02283, 12.5.0-02624, 12.5.0-0280012.5.0-02835 or later

The vulnerabilities do not affect SSL VPN functionality on SonicWall firewall products. They also do not affect appliances in the separate SMA 100 Series product line.

Customers can obtain the patched platform hotfixes through the MySonicWall portal. The SonicWall advisory provides the latest product and remediation information.

CISA adds both vulnerabilities to its exploited flaws catalog

The US Cybersecurity and Infrastructure Security Agency added CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities catalog.

Inclusion in the catalog confirms that reliable evidence of real-world exploitation exists. US federal civilian agencies must remediate cataloged vulnerabilities by the deadline assigned by CISA, while private organizations should also treat them as urgent priorities.

Public exploit code for CVE-2026-15409 has also become available. This increases the chance that more attackers will scan for unpatched internet-facing systems, even if they did not participate in the original campaign.

Indicators of SonicWall SMA1000 exploitation

Security teams should review web access logs, appliance management logs, configuration files, and authentication activity. Suspicious /wsproxy requests with localhost addresses or unusual host parameters may indicate exploitation of CVE-2026-15409.

Rapid7 identified requests containing host values such as localhost or ::ffff:127.0.0.1. Requests that include /wsproxy, an unusual negative bmID value, and an HTTP 101 response deserve particular attention.

The following activity may indicate attempted or successful exploitation:

  • Requests to /wsproxy with suspicious host values returning HTTP 101
  • extraweb_access.log entries involving /__api__/login or /__api__/logout returning HTTP 200
  • ctrl-service.log entries invoking remove_hotfix with path traversal sequences
  • Unexpected /__api__/login or /__api__/logout routes in /var/lib/unit/conf.json
  • Requests for temporary session database files such as /tmp/temp.db
  • Repeated requests to /auth1.html or common sensitive paths
  • Windows Event ID 4624 logons from the appliance without a corresponding VPN session
  • Workstation names such as KALI or unknown DESKTOP identifiers

Patching alone may not remove the attackers

Organizations running affected versions should install platform-hotfix 12.4.3-03453 or 12.5.0-02835 immediately. SonicWall has not provided a workaround, so administrators cannot safely mitigate the vulnerabilities through a configuration change alone.

Applying the patch prevents further exploitation of the vulnerabilities, but it does not remove malicious changes or invalidate data stolen before the update. Administrators must investigate whether the appliance experienced exploitation while vulnerable.

The updated Rapid7 threat analysis recommends treating an appliance as compromised when any published indicator appears.

What to do if compromise is detected

SonicWall recommends re-imaging affected physical appliances or redeploying virtual appliances when investigators find evidence of a breach. Rebuilding from a trusted image helps remove unauthorized changes and persistence mechanisms.

Organizations should reset all user and administrator passwords associated with the appliance. They should also rotate LDAP service account credentials and other secrets that the appliance could access.

TOTP tokens require special attention because attackers reportedly stole their seed configurations. Resetting only a userโ€™s password will not invalidate a copied TOTP seed, so administrators must re-enroll affected multi-factor authentication tokens.

  1. Disconnect or restrict access to the affected appliance.
  2. Preserve logs and configuration files for investigation.
  3. Install the latest supported platform hotfix.
  4. Re-image physical appliances or redeploy virtual appliances if compromise appears likely.
  5. Reset user, administrator, LDAP, and service account passwords.
  6. Revoke active sessions and reset TOTP tokens.
  7. Review domain controllers for logins originating from the appliance.
  8. Monitor the CISA exploited vulnerabilities catalog and SonicWall guidance for updates.

FAQ

What are CVE-2026-15409 and CVE-2026-15410?

CVE-2026-15409 is a critical unauthenticated SSRF vulnerability in the SonicWall SMA1000 WorkPlace interface. CVE-2026-15410 is a high-severity code injection flaw that can allow root command execution when attackers reach an affected local service.

Are the SonicWall vulnerabilities being actively exploited?

Yes. SonicWall and Rapid7 confirmed active exploitation of both vulnerabilities. Attackers used them before public disclosure, making them zero-day vulnerabilities.

Which SonicWall products are affected?

The flaws affect SonicWall SMA1000 Series models 6210, 7210, and 8200v running specified platform-hotfix versions in the 12.4.3 and 12.5.0 branches. SonicWall firewalls and SMA 100 Series appliances are not affected.

Which SonicWall versions fix the vulnerabilities?

Customers should install platform-hotfix version 12.4.3-03453 or later for the 12.4.3 branch, or version 12.5.0-02835 or later for the 12.5.0 branch.

What should organizations do after patching SonicWall SMA1000 appliances?

Administrators should search for compromise indicators, review authentication activity, reset passwords, revoke active sessions, and reset TOTP tokens. They should re-image physical appliances or redeploy virtual appliances if they find evidence of exploitation.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages