SonicWall has revealed two significant vulnerabilities within its SMA1000 Series remote access appliances. Alarmingly, one of these vulnerabilities was being actively exploited by malicious actors prior to the official advisory being released.
The vulnerabilities in question consist of a critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-15409, which has received the highest possible CVSS score of 10.0. Additionally, there is a locally exploitable privilege escalation flaw, CVE-2026-15410, both of which are included in CISA’s Known Exploited Vulnerabilities catalog, indicating ongoing exploitation in real-world scenarios.
Exploitation Pathways Revealed
The exploitation process begins with the /wsproxy feature, a websocket proxy function within the SonicWall WorkPlace application, which operates over port 443. This feature is intended to route TCP traffic to remote hosts, but attackers have found a way to redirect it to the localhost, enabling access to internal services that should not be exposed to the internet.
Subsequently, attackers move to target an Erlang process that listens on port 1050. Research by Rapid7 has uncovered that this process relies on a hardcoded authentication cookie, allowing attackers to execute remote code without needing credentials.
Escalation to Root Access
Once access is gained, attackers exploit CVE-2026-15410, a path traversal vulnerability in the remove_hotfix function, to achieve root-level control. By supplying a crafted file path, such as ../../../../var/tmp/privesc, during the hotfix removal process, attackers can run scripts with root privileges, typically followed by a system restart.
These vulnerabilities impact SMA1000 Series models 6210, 7210, and 8200v, specifically those running firmware versions 12.4.3-03434 and 12.5.0-02800. Notably, the SSL VPN functionality of SonicWall firewalls and the SMA 100 Series remain unaffected.
Defensive Measures and Future Risks
The Rapid7 team has observed attackers using compromised appliances to gain covert entry into corporate networks. Once inside, they collect credentials, session data, and multi-factor authentication seeds before moving into Active Directory environments.
Unusual login activity, such as authentications from non-corporate device names like “kali,” originating internally without an active VPN session, could indicate the presence of an unmonitored backdoor.
To defend against these threats, SonicWall recommends applying patches to versions 12.4.3-03453 or 12.5.0-02835 without delay. There are no alternative workarounds. Organizations should assume a breach has occurred if indicators are detected and adhere to SonicWall’s forensic and recovery procedures.
Additionally, it is advisable to review logs for suspicious /wsproxy requests, unexpected remove_hotfix executions, and NTLM logons originating from internal IP addresses. Passwords and TOTP tokens should be reset for all users if a breach is confirmed. It may also be prudent to block traffic from ASN 206092, associated with known attacker infrastructure.
With a public proof-of-concept for CVE-2026-15409 already in circulation and a Metasploit module under development, the likelihood of increased exploitation attempts is high. As such, organizations using SMA1000 appliances should prioritize patching as an urgent task.
