SonicWall SMA1000 zero-days exploited in the wild for ransomware access

Two chained vulnerabilities give attackers full remote code execution on unpatched SMA 1000 appliances.

CSBadmin
2 Min Read

Attackers are actively exploiting two zero-day vulnerabilities in SonicWall SMA1000 series appliances, chaining them together for full remote code execution without authentication. The flaws, disclosed July 14, have been under attack since at least June 22, according to Rapid7 researchers who observed the campaign.

CVE-2026-15409, a server-side request forgery bug rated a perfect 10.0 on the CVSS scale, allows unauthenticated attackers to abuse the /wsproxy websocket proxy feature. By pointing it at localhost, attackers can reach internal appliance services never meant to be internet-facing. From there, an Erlang process listening on port 1050 uses a hardcoded authentication cookie, enabling remote code execution with zero credentials.

The second flaw, CVE-2026-15410 (CVSS 7.2), is a path traversal vulnerability in the remove_hotfix workflow that lets attackers escalate to root access. By feeding a malicious file path into the hotfix removal process, the system executes attacker-controlled scripts as root.

When these two are chained, an attacker can go from zero access to a complete system compromise for the affected appliance. Rapid7 observed attackers using compromised appliances as stealthy entry points, harvesting credentials, session data, and TOTP multi-factor authentication seeds before pivoting into Active Directory environments.

Both flaws have been added to CISA Known Exploited Vulnerabilities catalog. SonicWall has released patches in versions 12.4.3-03453 and 12.5.0-02835. A public proof-of-concept is already circulating on GitHub.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.