Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/CyberSecurity News/SonicWall SMA 1000 Zero-Day Actively Exploited
CyberSecurity News

SonicWall SMA 1000 Zero-Day Actively Exploited

Key Takeaways SonicWall has disclosed two critical vulnerabilities affecting its SMA 1000 Series remote access appliances. One of the flaws, CVE-2026-15409 (CVSS 10.0), is a zero-day actively...

David kimber
David kimber
July 16, 2026 3 Min Read
2 0

Key Takeaways

  • SonicWall has disclosed two critical vulnerabilities affecting its SMA 1000 Series remote access appliances.
  • One of the flaws, CVE-2026-15409 (CVSS 10.0), is a zero-day actively exploited in the wild, enabling unauthenticated remote code execution.
  • The vulnerabilities allow attackers to gain root access, steal credentials, and pivot into corporate networks.
  • Affected models include SMA 6210, 7210, and 8200v running specific firmware versions.
  • Patches are available, and immediate application is crucial due to active exploitation and public PoCs.

Critical SonicWall SMA 1000 Zero-Day Under Active Exploitation

SonicWall has issued an urgent advisory regarding two severe vulnerabilities impacting its SMA 1000 Series remote access appliances. One of these flaws, a critical zero-day, was already being actively exploited by threat actors even before its public disclosure.

Table Of Content

  • Key Takeaways
  • Critical SonicWall SMA 1000 Zero-Day Under Active Exploitation
  • Exploitation Chain Details
  • Affected Devices and Observed Attacks
  • What You Should Do

The identified vulnerabilities include CVE-2026-15409, a server-side request forgery (SSRF) flaw with a maximum CVSS score of 10.0, and CVE-2026-15410, a high-severity local privilege escalation vulnerability. Both have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the immediate threat they pose in real-world attacks.

Exploitation Chain Details

The attack sequence initiates through the /wsproxy websocket proxy feature within the SonicWall WorkPlace application, which operates over port 443. This feature is intended for tunneling TCP traffic to remote hosts. However, attackers can manipulate it to target localhost, thereby gaining unauthorized access to internal appliance services not designed for external exposure.

Once inside, attackers target an Erlang process listening on port 1050. Rapid7’s research team observed that this process utilizes a hardcoded authentication cookie, which allows for unauthenticated remote code execution.

Following initial compromise, attackers escalate their privileges to full root access by leveraging CVE-2026-15410. This local privilege escalation flaw exploits a path traversal vulnerability in the remove_hotfix workflow. By injecting a malicious file path, such as ../../../../var/tmp/privesc, into the hotfix removal process, the system executes attacker-controlled scripts with root privileges, often resulting in an automatic device reboot.

Affected Devices and Observed Attacks

The vulnerabilities impact SonicWall SMA 1000 Series models 6210, 7210, and 8200v. Specific affected firmware versions include 12.4.3-03434 and 12.5.0-02800. It is important to note that SonicWall firewalls’ SSL VPN functionality and the SMA 100 Series are not affected by these particular flaws.

Rapid7’s investigation revealed that threat actors have been exploiting compromised appliances as covert entry points into corporate networks. After establishing a foothold, attackers proceeded to harvest credentials, session data, and TOTP MFA seeds, subsequently pivoting directly into Active Directory environments.

Investigators identified anomalous login patterns, including authentications from non-corporate device names like “kali,” originating directly from the appliance without an active VPN session. This activity served as a clear indicator that the appliance itself had been compromised and was functioning as an unmonitored backdoor.

A public proof-of-concept for CVE-2026-15409 is already available, with a Metasploit module reportedly under development, suggesting an imminent increase in exploitation attempts. Given the severe impact of unauthenticated, root-level compromise, organizations utilizing SMA 1000 appliances must prioritize patching as an emergency.

What You Should Do

  • Immediately apply patches to fixed versions 12.4.3-03453 or 12.5.0-02835 (or later). No temporary workarounds are available.
  • Assume compromise if any indicators of exploitation are found and follow SonicWall’s forensic and recovery guidance.
  • Review logs for suspicious /wsproxy requests, unusual remove_hotfix calls, and unexpected NTLM logons originating from the appliance’s internal IP address.
  • In the event of confirmed compromise, reset passwords and TOTP tokens for all users.
  • Consider blocking traffic from ASN 206092 (FNS Holdings Limited), as it has been linked to observed attacker infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchThreatVulnerabilityzero-day

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

AI Penetration Testing Now Covers Retrieval Poisoning, Memory, and Sensor Attacks

Next Post

Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us