cognitive cybersecurity intelligence

News and Analysis

Search

Hackers Actively Exploiting SonicWall SMA1000 0-Day Vulnerability in the Wild

Hackers Actively Exploiting SonicWall SMA1000 0-Day Vulnerability in the Wild

SonicWall disclosed two vulnerabilities affecting its SMA1000 Series remote access appliances, and threat actors were already exploiting one of them before the advisory even went public.

The flaws include a critical server-side request forgery (SSRF) bug, CVE-2026-15409, scoring a perfect 10.0 on the CVSS scale, and a high-severity local privilege escalation flaw, CVE-2026-15410. Both have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active, real-world attacks.

The exploit chain starts at /wsproxy, a websocket proxy feature in the SonicWall WorkPlace application (served over port 443). This feature is designed to tunnel TCP traffic to remote hosts, but attackers can point it at localhost instead, letting them reach internal appliance services that were never meant to be internet-facing.

From there, attackers target an Erlang process listening on port 1050. Rapid7’s research found that this process uses a hardcoded authentication cookie, meaning no credentials are needed to achieve remote code execution.

SonicWall SMA1000 0-Day Vulnerability

Once inside, attackers escalate to full root access by abusing CVE-2026-15410, a path traversal flaw in the remove_hotfix workflow. By feeding a malicious file path (like ../../../../var/tmp/privesc) into the hotfix removal process, the system executes attacker-controlled scripts as root, typically followed by an automatic device reboot.

The vulnerabilities affect SMA1000 Series models 6210, 7210, and 8200v running several firmware versions, including 12.4.3-03434 and 12.5.0-02800. Notably, SonicWall firewalls’ SSL VPN functionality and the SMA 100 Series are not affected.

Rapid7’s research team observed attackers using compromised appliances as stealthy entry points into corporate networks. After gaining a foothold, threat actors harvested credentials, session data, and TOTP MFA seeds, then pivoted directly into Active Directory environments.

Investigators flagged unusual login patterns, including authentications from non-corporate device names like “kali,” originating from the appliance itself with no active VPN session, a clear sign the appliance had become an unmonitored backdoor.

Tips for Defenders

Patch immediately to fixed versions 12.4.3-03453 or 12.5.0-02835 (or later); no workarounds exist.

Assume compromise if indicators are found, and follow SonicWall’s forensic and recovery guidance.

Check logs for suspicious /wsproxy requests, unusual remove_hotfix calls, and unexpected NTLM logons from the appliance’s internal IP.

Reset passwords and TOTP tokens for all users following any confirmed compromise.

Consider blocking traffic from ASN 206092 (FNS Holdings Limited), linked to observed attacker infrastructure.

A public proof-of-concept for CVE-2026-15409 is already circulating, and a Metasploit module is reportedly in development, meaning exploitation attempts are likely to increase.

Given the unauthenticated, root-level impact of this chain, organizations running SMA1000 appliances should treat patching as an emergency, not a routine update cycle.

IOCs

Indicator TypeValueContextIP Range45.131.194.0/24Attacker-controlled VPN hosting infrastructureIP Range45.146.54.0/24Attacker-controlled VPN hosting infrastructureIP Range63.135.161.0/24Attacker-controlled VPN hosting infrastructureIP Range173.239.211.0/24Attacker-controlled VPN hosting infrastructureIP Address193.37.32[.]179Attacker-controlled VPN hosting infrastructureIP Address193.37.32[.]214Attacker-controlled VPN hosting infrastructureIP Address216.73.163[.]151Attacker-controlled VPN hosting infrastructureIP Address216.73.163[.]158Attacker-controlled VPN hosting infrastructure

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Hackers Actively Exploiting SonicWall SMA1000 0-Day Vulnerability in the Wild appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts