SonicWall disclosed two actively exploited vulnerabilities in SMA1000 Series appliances, including CVE-2026-15409 SSRF and CVE-2026-15410 code injection, and urged immediate patching with the latest platform hotfix releases. Rapid7 observed targeted zero-day attacks abusing these flaws to gain appliance access, harvest credentials and TOTP seeds, and pivot into internal Active Directory environments. #SonicWall #SMA1000 #CVE-2026-15409 #CVE-2026-15410 #Rapid7 #CISA #KEV
Keypoints
- SonicWall issued an advisory on July 14, 2026 for two SMA1000 Series vulnerabilities: CVE-2026-15409 and CVE-2026-15410.
- CVE-2026-15409 is a critical SSRF flaw that allows an unauthenticated attacker to tunnel to localhost-only services through /wsproxy.
- CVE-2026-15410 is a high-severity local privilege escalation/code injection issue in the remove_hotfix workflow that can lead to root command execution.
- Rapid7 MDR observed active, targeted zero-day exploitation of internet-facing SMA1000 appliances before official disclosure.
- Both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog due to confirmed in-the-wild exploitation.
- Attackers used the appliance as an initial access point, then harvested credentials, session data, and TOTP MFA seeds for persistence and lateral movement into Active Directory.
- Fixed platform hotfix versions are available, and SonicWall states there are no workarounds; compromised appliances may need re-imaging or redeployment.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploited internet-facing SMA1000 appliances through the /wsproxy feature and other portal endpoints to gain initial access (‘active, targeted zero-day exploitation of internet-facing SMA 1000-series appliances’).
- [T1211] Exploitation for Defense Evasion – The SSRF flaw was used to reach localhost-only services behind appliance controls (‘open a websocket-based tunnel to arbitrary localhost-only services’).
- [T1068] Exploitation for Privilege Escalation – CVE-2026-15410 enabled an attacker to execute arbitrary OS commands as root via the remove_hotfix workflow (‘execute arbitrary operating system commands as root’).
- [T1059.004] Command and Scripting Interpreter: Unix Shell – The exploit executed a shell script payload and ran commands on the appliance (‘/bin/bash … 1234.sh –unattended’).
- [T1003] OS Credential Dumping – Threat actors extracted credentials and session data after compromise (‘systematically extracted high-value credentials, active session databases’).
- [T1528] Steal Application Access Token – Attackers harvested TOTP MFA seed configurations to preserve access (‘Time-Based One-Time Password (TOTP) multi-factor authentication (MFA) seed configurations’).
- [T1021.002] Remote Services: SMB/Windows Admin Shares – The article describes lateral movement into Active Directory via authentications to domain controllers from the appliance (‘VPN-less Active Directory authentications targeting core domain controllers’).
- [T1078] Valid Accounts – Compromised service-account and harvested authentication material were used to access internal systems (‘under the context of the appliance’s integrated LDAP service account’).
- [T1105] Ingress Tool Transfer – A Python proof-of-concept and Metasploit chain development were mentioned for exploitation validation (‘A Python proof-of-concept … is available’).
- [T1041] Exfiltration Over C2 Channel – The websocket proxy allowed arbitrary TCP traffic to and from local services, which can support data movement over the attacker-controlled channel (‘send and receive arbitrary TCP traffic to and from them’).
Indicators of Compromise
- [IP addresses] Attacker infrastructure and example target/activity hosts observed in exploitation and testing – 193.37.32[.]179, 216.73.163[.]158, and 45.131.194.0/24, plus 2 more ranges
- [Domains/URLs] Suspicious appliance endpoints used for exploitation and probing – /wsproxy, /__api__/logon//authenticate, and /auth1.html
- [File paths] Paths associated with hotfix-removal exploitation and sensitive data access – /usr/local/bin/remove_hotfix, /var/lib/unit/conf.json, and /tmp/temp.db*
- [File names] Attacker-staged shell payloads and proof-of-concept artifacts – 1234.sh, sma1000_5c47.sh, and cve-2026-15409.py
- [Process/command indicators] Root-level execution seen during exploitation – chmod +x, /bin/bash … –unattended, and shutdown -r now
- [Log artifacts] High-signal log patterns tied to exploitation – extraweb_access.log, ctrl-service.log, and Windows Event ID 4624
- [Cookies/tokens] Web console session and CSRF values appearing in malicious requests – JSESSIONID=node01bcg1tbiy6qi7s97xsoa42lhp8.node0, csrfToken=GFEJUCQBUZOLUCCOO3YBA8G30ZE9VKDP, and EXTRAWEB_REFERER=%252F
- [Host parameters] Suspicious localhost-targeting values used for SSRF – 0.0.0.0, localhost, and ::ffff:127.0.0.1
- [Ports] Appliance and internal service ports involved in exploitation – 443, 8188, and 1050