GBHackers

Hackers Exploit SonicWall SMA1000 Zero-Days to Execute Commands as Root


Hackers are actively exploiting two zero-day vulnerabilities in the SonicWall SMA 1000 Series remote access appliances. They are chaining a critical server-side request forgery flaw with a local code injection bug to execute commands with root privileges.

Rapid7’s Managed Detection and Response team detected targeted attacks before SonicWall publicly disclosed these vulnerabilities on July 14, 2026.

The flaws, tracked as CVE-2026-15409 and CVE-2026-15410, have since been added to CISA’s Known Exploited Vulnerabilities catalog, highlighting the urgency for affected organizations to patch their exposed systems.

SonicWall SMA1000 Zero-Days

CVE-2026-15409 has a CVSS score of 10.0 and affects a WebSocket proxy component exposed via the /wsproxy endpoint in SonicWall WorkPlace, typically served on port 443.

This vulnerability allows an unauthenticated remote attacker to create a WebSocket-based TCP tunnel to arbitrary services. By specifying localhost addresses as a destination, attackers can access internal appliance services that are normally inaccessible from the internet.

Rapid7 reported that attackers have exploited this access to communicate with services such as an Erlang process on localhost port 1050 and the appliance’s ctrl-service on port 8188.

Researchers demonstrated that the Erlang service could be abused to execute operating system commands because its authentication cookie was hardcoded in the tested deployments.

This can provide an attacker with an initial foothold on the SMA appliance, potentially allowing them to execute commands under the lower-privileged couchdb account.

The second vulnerability, CVE-2026-15410, allows attackers to elevate their access to root. This high-severity flaw exists in the remove_hotfix or rollback workflow handled by the ctrl-service.

It arises from insufficient path validation in a hotfix parameter, which allows for a path traversal attack. An attacker can direct the appliance’s rollback operation to a malicious script placed in a writable directory. The vulnerable process then changes the script’s permissions and invokes it as root via Bash.

Rapid7’s testing showed that the appliance may reboot after successfully executing the supplied script, potentially complicating incident response and forensic collection.

In a successful attack chain, an external attacker can exploit CVE-2026-15409 to access internal-only services, execute code, write or reference a malicious payload, and then exploit CVE-2026-15410 to gain full administrative control of the appliance.

Affected products include SonicWall SMA 1000 Series devices 6210, 7210, and 8200v running vulnerable releases in the 12.4.3 and 12.5.0 branches. SonicWall stated that SSL VPN functionality on SonicWall firewalls and the SMA 100 Series is not affected.

Organizations should immediately upgrade to SonicWall SMA 1000 platform hotfix version 12.4.3-03453 or later, or 12.5.0-02835 or later. No workaround is available.

Since exploitation is confirmed, defenders should also investigate appliances for compromises, re-image affected physical devices, or redeploy virtual appliances when necessary. Additionally, it is important to rotate administrator and user passwords and reset TOTP tokens following a confirmed intrusion.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link