Hackers Exploit Two SonicWall SMA1000 Zero-Days to Gain Root Access


Hackers are actively exploiting two SonicWall SMA1000 zero-day vulnerabilities to compromise internet-facing remote access appliances and gain root-level command execution.

The flaws include the critical CVE-2026-15409, which carries a CVSS score of 10.0, and the high-severity CVE-2026-15410. Attackers can combine them to reach internal appliance services, run commands and take full control of affected devices.

SonicWall has released security hotfixes and confirmed active exploitation in its SMA1000 security advisory. Organizations running affected appliances should install the updates immediately and investigate whether attackers compromised the devices before patching.

Two SonicWall Vulnerabilities Form a Root Access Chain

VulnerabilityTypeSeverityPrimary impact
CVE-2026-15409Server-side request forgeryCritical, CVSS 10.0Unauthenticated access to internal appliance services
CVE-2026-15410Code injection and path traversalHighArbitrary operating system commands with root privileges

CVE-2026-15409 affects a WebSocket proxy exposed through the /wsproxy path in the SonicWall WorkPlace application. The service normally allows TCP tunneling to destinations supplied through request parameters.

The vulnerability fails to prevent attackers from choosing localhost as the destination. An unauthenticated remote attacker can therefore create a WebSocket tunnel from the public WorkPlace interface to services that only listen inside the appliance.

This access breaks an important security boundary. Internal services may assume that requests originate from trusted local components and therefore implement fewer protections than internet-facing services.

Attackers Can Reach Internal Erlang and Control Services

Rapid7’s technical analysis found that attackers can use the WebSocket tunnel to reach an Erlang process on local port 1050 or the appliance’s control service on port 8188.

Rapid7 developed an exploit against the Erlang service that achieved operating system command execution. The researchers found that the Erlang authentication cookie was hardcoded in the tested appliance, removing the need for an attacker to obtain separate credentials for that service.

The initial command execution runs under a restricted account. Attackers can then target CVE-2026-15410 to escalate their access to root.

  • CVE-2026-15409 exposes localhost-only services through the public WorkPlace interface.
  • The internal Erlang process can provide operating system command execution.
  • CVE-2026-15410 abuses the hotfix removal process.
  • The vulnerable workflow executes an attacker-controlled script as root.
  • The appliance normally reboots after completing the malicious hotfix removal operation.

Hotfix Removal Flaw Executes Malicious Scripts as Root

CVE-2026-15410 affects the remove_hotfix workflow used by the appliance control service. An attacker can supply a path containing directory traversal sequences that point outside the expected hotfix directory.

If the selected file exists, the service marks it as executable and runs it through Bash with root privileges. Rapid7 demonstrated the issue using a traversal path that pointed to a script staged in a temporary directory.

SonicWall describes this vulnerability as a code injection flaw in the Appliance Management Console. Under the vendor’s direct attack model, an attacker needs administrative console access. Rapid7’s chain reaches the underlying local service through CVE-2026-15409, creating a path from an unauthenticated internet request to root command execution.

Rapid7 Observed Attacks Before Public Disclosure

Rapid7’s Managed Detection and Response team observed targeted attacks against internet-facing SMA1000 appliances before SonicWall publicly disclosed the vulnerabilities on July 14, 2026.

Investigators found that attackers used compromised appliances as entry points into corporate networks. The threat actors collected credentials, active session databases and Time-Based One-Time Password seed configurations from the devices.

Attackers then used the stolen information to move into internal Active Directory environments. Rapid7 observed network logons originating from the appliance’s internal IP address without a corresponding active VPN session.

Some authentications used non-corporate workstation names such as KALI. This activity indicated that the appliance itself had become an unauthorized access point into the internal network.

CISA Adds Both Flaws to Its Exploited Vulnerabilities Catalog

CISA added both SonicWall vulnerabilities to its Known Exploited Vulnerabilities catalog on July 14. Their inclusion confirms evidence of real-world exploitation.

CISA assigned a remediation deadline of July 17, 2026, for affected US federal agencies. The required action includes applying vendor mitigations and following applicable forensic triage requirements.

Private organizations do not fall under the same federal deadline, but the confirmed attacks and the exposed position of remote access gateways make emergency remediation necessary.

Affected SonicWall SMA1000 Models and Versions

The vulnerabilities affect SonicWall SMA1000 Series models 6210, 7210 and 8200v. Rapid7 and SonicWall identified the following vulnerable software releases:

Release branchVulnerable versions identifiedFixed version
12.4.312.4.3-03245, 12.4.3-03387 and 12.4.3-0343412.4.3-03453 or later
12.5.012.5.0-02283, 12.5.0-02624 and 12.5.0-0280012.5.0-02835 or later

The vulnerabilities do not affect SSL VPN functionality running on SonicWall firewalls. The separate SMA 100 Series product line also remains unaffected.

Administrators should consult the official SonicWall advisory for the latest hotfix availability and recovery instructions. SonicWall has not provided a workaround that replaces installing the fixed release.

Patching Alone May Not Remove an Existing Compromise

Installing the corrected firmware closes the vulnerabilities, but it does not remove credentials or persistent access obtained before the update. Organizations must investigate exposed appliances for evidence of earlier exploitation.

SonicWall recommends reimaging physical appliances or redeploying virtual appliances when investigators confirm a compromise. Administrators should also change user and administrator passwords and reset affected TOTP tokens.

  1. Upgrade to 12.4.3-03453, 12.5.0-02835 or a later fixed release.
  2. Preserve and review appliance logs before rebuilding the device.
  3. Search for suspicious WebSocket and hotfix removal activity.
  4. Reimage physical appliances or redeploy virtual appliances after confirmed compromise.
  5. Change user, administrator and integrated service account credentials.
  6. Reset TOTP seeds for users whose data may have been exposed.
  7. Review Active Directory logons originating from the appliance.
  8. Look for lateral movement from accounts used by the SMA1000 gateway.

Behavioral Indicators Can Reveal Exploitation

Rapid7 recommends checking extraweb_access.log for /wsproxy requests that contain unusual localhost destinations. Suspicious requests may reference localhost or the IPv6-mapped loopback address ::ffff:127.0.0.1 and return an HTTP 101 response.

Administrators should review ctrl-service.log for calls to /usr/local/bin/remove_hotfix that include traversal sequences leading to shell scripts in temporary directories.

Windows Event ID 4624 logons with type 3 also require investigation when they originate from the appliance’s internal address, use unusual workstation names and have no corresponding VPN session.

Indicator typeValue
IP range45.131.194.0/24
IP range45.146.54.0/24
IP range63.135.161.0/24
IP range173.239.211.0/24
IP address193.37.32[.]179
IP address193.37.32[.]214
IP address216.73.163[.]151
IP address216.73.163[.]158
Hosting providerF.N.S Holdings Limited, ASN 206092
Observed asset namesDESKTOP-KRLUI3J, DESKTOP-IC3C80F, DESKTOP-5P0TSCP, KALI and localhost

Network defenders should use these indicators as investigation leads rather than relying on them alone. Hosting providers can reassign addresses, while attackers can change infrastructure and device names quickly.

The Rapid7 report also confirms that public proof-of-concept code exists for CVE-2026-15409 and that a Metasploit module for the exploit chain is under development. This increases the likelihood of broader scanning and exploitation attempts.

Organizations Should Treat the Updates as an Emergency

SMA1000 appliances sit at the network perimeter and handle authentication data, remote sessions and access to internal resources. A compromise can therefore expose far more than the appliance itself.

Organizations should prioritize every internet-facing SMA1000 device, apply the hotfix and conduct a forensic review. Any appliance showing credible indicators should receive treatment as fully compromised.

CISA’s warning, SonicWall’s confirmation and Rapid7’s observed attacks show that administrators should not handle these vulnerabilities through a routine patch cycle.

FAQ

What is CVE-2026-15409?

CVE-2026-15409 is a critical server-side request forgery vulnerability in the SonicWall SMA1000 WorkPlace interface. It allows an unauthenticated remote attacker to create a WebSocket tunnel to internal appliance services.

What is CVE-2026-15410?

CVE-2026-15410 is a high-severity code injection vulnerability affecting the SMA1000 hotfix removal workflow. Rapid7 found that attackers can abuse path traversal behavior to execute a malicious script with root privileges.

Are hackers exploiting the SonicWall SMA1000 vulnerabilities?

Yes. SonicWall, Rapid7 and CISA have confirmed active exploitation. Rapid7 observed targeted attacks before SonicWall publicly disclosed the vulnerabilities.

Which SonicWall SMA1000 models are affected?

The vulnerabilities affect SMA1000 Series models 6210, 7210 and 8200v running identified vulnerable releases in the 12.4.3 and 12.5.0 branches.

Which SonicWall versions fix the vulnerabilities?

Organizations should install platform hotfix version 12.4.3-03453, 12.5.0-02835 or a later fixed release.

Is installing the SonicWall patch enough?

Not when an appliance may already have been compromised. Organizations should review logs, investigate indicators, change credentials, reset exposed TOTP tokens and rebuild affected appliances when compromise receives confirmation.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages