SonicWall’s SMA1000 Series remote access appliances are being actively targeted in the wild, and the attacks began before the vendor even published its security advisory. Two newly disclosed flaws are behind the campaign, and one of them scores a perfect 10.0 on the CVSS scale, the maximum possible severity rating.
A Perfect Score and a Privilege Escalation Bug
The first flaw, CVE-2026-15409, is a server-side request forgery (SSRF) vulnerability that earned the rare 10.0 rating. The second, CVE-2026-15410, is a high-severity local privilege escalation bug. Both have already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, an official confirmation that real-world attackers are using them right now, not just theoretical proof-of-concept exploits.
What makes this pairing so dangerous is how cleanly they chain together. On their own, each bug is serious. Combined, they let an attacker go from an anonymous network request to full root control of the appliance.
How the Attack Chain Works
The intrusion path starts at a feature called /wsproxy, a websocket proxy built into the SonicWall WorkPlace portal that normally tunnels traffic to remote hosts over port 443. Researchers found that attackers can redirect this proxy toward the appliance’s own localhost address instead, effectively using a legitimate remote-access feature to reach internal services that were never designed to face the public internet.
From there, the attack targets an internal Erlang process on port 1050. According to research published by Rapid7, this process relies on a hardcoded authentication cookie, meaning attackers don’t need to steal or guess any credentials to interact with it and begin executing code remotely.
The final step abuses the privilege escalation flaw inside the appliance’s remove_hotfix workflow. By supplying a manipulated file path, such as one containing repeated ../ traversal sequences, an attacker can trick the hotfix removal process into executing a script of their choosing with root privileges. The appliance typically reboots automatically once this step completes, a telltale sign for defenders reviewing logs after the fact.
Who Is Affected, and What Attackers Are Doing Once Inside
The vulnerable models are the SMA1000 Series 6210, 7210, and 8200v, running firmware versions including 12.4.3-03434 and 12.5.0-02800. Notably, SonicWall’s separate SSL VPN product line and the SMA 100 Series are not implicated in this particular chain.
Rapid7’s investigators observed attackers using compromised appliances as quiet footholds into corporate networks, harvesting stored credentials, active session tokens, and even the seed values used to generate one-time MFA codes. From there, intruders moved laterally into victims’ Active Directory environments.
One giveaway investigators flagged: authentication attempts using non-corporate device names, including one literally labeled “kali”, that originated from the appliance itself without any corresponding active VPN session. That pattern strongly suggests the appliance had already been turned into an unauthorized entry point rather than serving its intended function.
What Defenders Should Do Now
- Apply the fix immediately: SonicWall has released patched firmware versions 12.4.3-03453 and 12.5.0-02835, and no interim workaround exists.
- Treat any indicators of compromise seriously and follow SonicWall’s published forensic and recovery steps rather than assuming a simple patch resolves an active breach.
- Audit logs for anomalous
/wsproxytraffic, unusual invocations of theremove_hotfixfunction, and unexpected authentication attempts originating from the appliance’s own internal address. - Force password and MFA/TOTP token resets for all users if any compromise indicators are confirmed.
- Consider blocking network traffic associated with ASN 206092 (FNS Holdings Limited), which has been linked to attacker infrastructure in this campaign.
Exploitation Is Likely to Accelerate
A public proof-of-concept targeting CVE-2026-15409 is already circulating online, and reports suggest a ready-made Metasploit module is in development. Once tooling like that becomes widely available, opportunistic scanning and exploitation attempts typically spike quickly.
Because the chain requires no valid credentials and ends in root-level access, security teams running SMA1000 appliances should treat this as an emergency patch rather than something to schedule into a routine maintenance window. Given the appliance’s role as a gateway into internal networks, any delay meaningfully widens the window attackers have to establish persistence before detection.
Leave a Reply