Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical SonicWall Vulnerability Exploited by Hackers

Critical SonicWall Vulnerability Exploited by Hackers

Posted on July 16, 2026 By CWS

SonicWall has revealed two significant vulnerabilities within its SMA1000 Series remote access appliances. Alarmingly, one of these vulnerabilities was being actively exploited by malicious actors prior to the official advisory being released.

The vulnerabilities in question consist of a critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-15409, which has received the highest possible CVSS score of 10.0. Additionally, there is a locally exploitable privilege escalation flaw, CVE-2026-15410, both of which are included in CISA’s Known Exploited Vulnerabilities catalog, indicating ongoing exploitation in real-world scenarios.

Exploitation Pathways Revealed

The exploitation process begins with the /wsproxy feature, a websocket proxy function within the SonicWall WorkPlace application, which operates over port 443. This feature is intended to route TCP traffic to remote hosts, but attackers have found a way to redirect it to the localhost, enabling access to internal services that should not be exposed to the internet.

Subsequently, attackers move to target an Erlang process that listens on port 1050. Research by Rapid7 has uncovered that this process relies on a hardcoded authentication cookie, allowing attackers to execute remote code without needing credentials.

Escalation to Root Access

Once access is gained, attackers exploit CVE-2026-15410, a path traversal vulnerability in the remove_hotfix function, to achieve root-level control. By supplying a crafted file path, such as ../../../../var/tmp/privesc, during the hotfix removal process, attackers can run scripts with root privileges, typically followed by a system restart.

These vulnerabilities impact SMA1000 Series models 6210, 7210, and 8200v, specifically those running firmware versions 12.4.3-03434 and 12.5.0-02800. Notably, the SSL VPN functionality of SonicWall firewalls and the SMA 100 Series remain unaffected.

Defensive Measures and Future Risks

The Rapid7 team has observed attackers using compromised appliances to gain covert entry into corporate networks. Once inside, they collect credentials, session data, and multi-factor authentication seeds before moving into Active Directory environments.

Unusual login activity, such as authentications from non-corporate device names like “kali,” originating internally without an active VPN session, could indicate the presence of an unmonitored backdoor.

To defend against these threats, SonicWall recommends applying patches to versions 12.4.3-03453 or 12.5.0-02835 without delay. There are no alternative workarounds. Organizations should assume a breach has occurred if indicators are detected and adhere to SonicWall’s forensic and recovery procedures.

Additionally, it is advisable to review logs for suspicious /wsproxy requests, unexpected remove_hotfix executions, and NTLM logons originating from internal IP addresses. Passwords and TOTP tokens should be reset for all users if a breach is confirmed. It may also be prudent to block traffic from ASN 206092, associated with known attacker infrastructure.

With a public proof-of-concept for CVE-2026-15409 already in circulation and a Metasploit module under development, the likelihood of increased exploitation attempts is high. As such, organizations using SMA1000 appliances should prioritize patching as an urgent task.

Cyber Security News Tags:CISA, CVE-2026-15409, cyber attack, Cybersecurity, Hackers, remote access, security flaw, SMA1000, SonicWall, Vulnerability

Post navigation

Previous Post: The Challenges of OT Security in a Converging IT World

Related Posts

17K+ SharePoint Servers Exposed to Internet 17K+ SharePoint Servers Exposed to Internet Cyber Security News
AI-Powered Cybersecurity Tools Can Be Turned Against Themselves Through Prompt Injection Attacks AI-Powered Cybersecurity Tools Can Be Turned Against Themselves Through Prompt Injection Attacks Cyber Security News
Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances Salesloft Drift Hacked to Steal OAuth Tokens and Exfiltrate from Salesforce Corporate Instances Cyber Security News
Quid Miner Launches Mobile App to Unlock in Daily Cloud Mining Income for BTC, DOGE, and XRP for Investors Quid Miner Launches Mobile App to Unlock in Daily Cloud Mining Income for BTC, DOGE, and XRP for Investors Cyber Security News
New Phishing Tactic Utilizes Google Cloud for Remcos RAT New Phishing Tactic Utilizes Google Cloud for Remcos RAT Cyber Security News
Samsung MagicINFO 9 Server Vulnerability Let Attackers Write Arbitrary File Samsung MagicINFO 9 Server Vulnerability Let Attackers Write Arbitrary File Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical SonicWall Vulnerability Exploited by Hackers
  • The Challenges of OT Security in a Converging IT World
  • n8n Token Flaw Allows Unauthorized User Access
  • WhatsApp Scam: How GhostPairing Endangers Accounts
  • AI Data Centers Face Security Challenges Amid Rapid Growth

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical SonicWall Vulnerability Exploited by Hackers
  • The Challenges of OT Security in a Converging IT World
  • n8n Token Flaw Allows Unauthorized User Access
  • WhatsApp Scam: How GhostPairing Endangers Accounts
  • AI Data Centers Face Security Challenges Amid Rapid Growth

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark