SonicWall SMA 1000 Zero-Day Actively Exploited
Key Takeaways SonicWall has disclosed two critical vulnerabilities affecting its SMA 1000 Series remote access appliances. One of the flaws, CVE-2026-15409 (CVSS 10.0), is a zero-day actively...
Key Takeaways
- SonicWall has disclosed two critical vulnerabilities affecting its SMA 1000 Series remote access appliances.
- One of the flaws, CVE-2026-15409 (CVSS 10.0), is a zero-day actively exploited in the wild, enabling unauthenticated remote code execution.
- The vulnerabilities allow attackers to gain root access, steal credentials, and pivot into corporate networks.
- Affected models include SMA 6210, 7210, and 8200v running specific firmware versions.
- Patches are available, and immediate application is crucial due to active exploitation and public PoCs.
Critical SonicWall SMA 1000 Zero-Day Under Active Exploitation
SonicWall has issued an urgent advisory regarding two severe vulnerabilities impacting its SMA 1000 Series remote access appliances. One of these flaws, a critical zero-day, was already being actively exploited by threat actors even before its public disclosure.
Table Of Content
The identified vulnerabilities include CVE-2026-15409, a server-side request forgery (SSRF) flaw with a maximum CVSS score of 10.0, and CVE-2026-15410, a high-severity local privilege escalation vulnerability. Both have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the immediate threat they pose in real-world attacks.
Exploitation Chain Details
The attack sequence initiates through the /wsproxy websocket proxy feature within the SonicWall WorkPlace application, which operates over port 443. This feature is intended for tunneling TCP traffic to remote hosts. However, attackers can manipulate it to target localhost, thereby gaining unauthorized access to internal appliance services not designed for external exposure.
Once inside, attackers target an Erlang process listening on port 1050. Rapid7’s research team observed that this process utilizes a hardcoded authentication cookie, which allows for unauthenticated remote code execution.
Following initial compromise, attackers escalate their privileges to full root access by leveraging CVE-2026-15410. This local privilege escalation flaw exploits a path traversal vulnerability in the remove_hotfix workflow. By injecting a malicious file path, such as ../../../../var/tmp/privesc, into the hotfix removal process, the system executes attacker-controlled scripts with root privileges, often resulting in an automatic device reboot.
Affected Devices and Observed Attacks
The vulnerabilities impact SonicWall SMA 1000 Series models 6210, 7210, and 8200v. Specific affected firmware versions include 12.4.3-03434 and 12.5.0-02800. It is important to note that SonicWall firewalls’ SSL VPN functionality and the SMA 100 Series are not affected by these particular flaws.
Rapid7’s investigation revealed that threat actors have been exploiting compromised appliances as covert entry points into corporate networks. After establishing a foothold, attackers proceeded to harvest credentials, session data, and TOTP MFA seeds, subsequently pivoting directly into Active Directory environments.
Investigators identified anomalous login patterns, including authentications from non-corporate device names like “kali,” originating directly from the appliance without an active VPN session. This activity served as a clear indicator that the appliance itself had been compromised and was functioning as an unmonitored backdoor.
A public proof-of-concept for CVE-2026-15409 is already available, with a Metasploit module reportedly under development, suggesting an imminent increase in exploitation attempts. Given the severe impact of unauthenticated, root-level compromise, organizations utilizing SMA 1000 appliances must prioritize patching as an emergency.
What You Should Do
- Immediately apply patches to fixed versions 12.4.3-03453 or 12.5.0-02835 (or later). No temporary workarounds are available.
- Assume compromise if any indicators of exploitation are found and follow SonicWall’s forensic and recovery guidance.
- Review logs for suspicious
/wsproxyrequests, unusualremove_hotfixcalls, and unexpected NTLM logons originating from the appliance’s internal IP address. - In the event of confirmed compromise, reset passwords and TOTP tokens for all users.
- Consider blocking traffic from ASN 206092 (FNS Holdings Limited), as it has been linked to observed attacker infrastructure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.