The Hacker News
כתבה מובילה
Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to

SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution.
The vulnerabilities are listed below - SonicWall said it has "investigated multiple cases indicating the active exploitation of the vulnerabilities," urging customers to apply the fixes as soon as possible.
The patches are available in the following versions - Users are also urged to perform a thorough forensic analysis of the system to determine the presence of any indicators of compromise (IoCs) associated with exploitation - Should one of these indicators be present, it's advised to re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password tokens.
Adam Babis of SonicWall's product security incident response team (PSIRT) has been credited with discovering and reporting the flaws. SonicWall also acknowledged the contributions of Volexity's Sean Koessel and Steven Adair to help advance the internal investigation and identify an additional IoC.
The development has prompted the U. S. Cybersecurity and Infrastructure Security Agency (CISA) to add the two flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026.
In a follow-up report published on July 15, 2026, Rapid7 said it observed active, targeted zero-day exploitation of internet-facing SMA 1000-series appliances since at least late last month. It's assessed that attackers are chaining together the two flaws to take control of susceptible devices.
"Threat actors were primarily leveraging the perimeter appliance as a stealthy initial access vector, executing commands on the operating system by bypassing traditional input validation controls," the cybersecurity company noted .
"Once they established a foothold on the appliance, the actors systematically extracted high-value credentials, active session databases, and Time-Based One-Time Password (TOTP) multi-factor authentication (MFA) seed configurations.
This local harvesting was designed to ensure long-term, persistent access that could survive standard network-level remediations."
The threat actors are said to have conducted lateral movement, jumping from the compromised appliance directly into the internal corporate network, followed by "anomalous, VPN-less Active Directory authentications targeting core domain controllers."
The authentications originated directly from the appliance's internal IP address, utilizing atypical, non-corporate workstation client names (e. g. , kali) under the context of its integrated LDAP service account.
"This unique behavior of direct, machine-level lateral movement with no corresponding active VPN tunnel confirmed that the appliance itself had been fully compromised and was acting as an unmonitored backdoor into the corporate directory infrastructure," Rapid7 added.
Learn how to secure AI agents with practical controls for access, visibility, secrets, and risk containment. Learn how to govern risk, secure AI-built software, and keep control as development moves at machine speed.