Blog
SonicWall SMA1000SSRF ChainCISA KEVSSL-VPN

SonicWall SMA1000 Zero-Days: CVE-2026-15409 Chains SSRF to Root

SonicWall SMA1000 is under active attack: unauth SSRF CVE-2026-15409 chains with CVE-2026-15410 to reach root — patch to 12.4.3-03453 / 12.5.0-02835, then hunt and rotate.

Zero Hunt Research··8 min read

On 14 July 2026 SonicWall told SMA1000 customers to patch two vulnerabilities that were already being exploited — not theorised, not proof-of-concept, exploited in live incidents its own responders had worked. Within hours CISA added both CVE-2026-15409 and CVE-2026-15410 to the Known Exploited Vulnerabilities catalog and set a federal remediation deadline of 17 July under BOD 26-04. That is a three-day clock on a secure-access appliance that, by design, sits on the perimeter and terminates VPN sessions for the whole workforce. If you run an SMA1000 and you are reading this after the 17th, assume you are late.

The interesting part is not that another edge appliance had a critical bug. It is how the two bugs combine — and why the reflex reading of the advisory ("one of them needs an authenticated admin, so we're mostly fine") is exactly the wrong conclusion.

The SonicWall SMA1000 chain: two bugs, one collapsed boundary

Read individually, the two CVEs look manageable. Read as the chain Rapid7's MDR team documented, they are a pre-auth path to root.

  • CVE-2026-15409 — a Server-Side Request Forgery in the SMA1000 Work Place interface, CVSS 10.0, reachable by a remote unauthenticated attacker. The bug lives in the /wsproxy websocket proxy on port 443. Feed it a host parameter that points back at the appliance itself — localhost, 0.0.0.0, ::ffff:127.0.0.1 — and the proxy dutifully connects to internal services that were never meant to face the internet, including the Erlang management process listening on localhost:1050.
  • CVE-2026-15410 — a code injection in the Management Console, CVSS 7.2, nominally requiring an authenticated administrator. The flaw is a path traversal in the remove_hotfix workflow on port 8188: craft a hotfix parameter like ../../../../var/tmp/privesc and the console executes attacker-controlled commands as root.

The chain is the whole story. The SSRF gives the unauthenticated attacker a foothold inside the appliance's trust boundary — a request origin the management plane treats as local and privileged. From there the "authenticated-only" code injection is no longer gated by anything the attacker has to steal first. The perimeter that made CVE-2026-15410 look like a 7.2 evaporates.

Step CVE Component Port What it buys the attacker
1 CVE-2026-15409 (SSRF) Work Place /wsproxy 443 Unauth request origin inside the box; reach localhost:1050
2 CVE-2026-15410 (code injection) Management Console remove_hotfix 8188 Arbitrary command execution as root
3 Post-exploit Session store + TOTP config Credentials, session cookies, MFA seeds

Why "authenticated RCE" was never a mitigation

Vendors describe post-authentication bugs the way they do because, in isolation, that description is accurate. The failure mode is treating that description as a control. Authentication is only a boundary if the attacker cannot manufacture the authenticated context some other way. On the SMA1000, a second unauthenticated bug manufactures exactly that context.

"We patched CVE-2026-15409 the morning it dropped. The SSRF is closed. Are we clear?" "Did you patch 15410 too?" "That one needs an admin login — we figured it was lower priority." "The SSRF was the admin login. And it ran for days before you patched. Pull the logs."

This is the pattern behind almost every serious edge-appliance breach of the last three years: the headline CVE is a single bug, but the intrusion is a chain, and defenders scope their response to the bug instead of the chain. SSL-VPN and secure-access gateways are the most-targeted initial-access surface precisely because one appliance concession yields authenticated reach into everything behind it. SonicWall SMA1000 devices have shown up in ransomware initial-access reporting before; this is that pattern, now automated into a two-stage exploit.

What the attackers did after root — the part patching won't fix

The reason this advisory is not "patch and move on" is what Rapid7 observed after the root shell. The operators went straight for the credential material an SSL-VPN concentrator is unfortunately rich in:

  • Active session databases were exfiltrated (requests to /tmp/temp.db*), handing attackers live sessions that survive a password reset.
  • TOTP MFA seed configurations were stolen — meaning the attacker can now generate valid second-factor codes for the accounts whose seeds they took. Rotating passwords alone does not close this; the seeds must be re-issued.
  • User and administrator credentials were harvested wholesale.

Then the appliance itself was repurposed. Rapid7 describes compromised SMA1000s becoming "VPN-less" backdoors: direct Active Directory authentications to domain controllers, originating from the appliance's own internal IP under its integrated LDAP service-account context, with non-corporate hostnames — one observed attacker box announced itself as kali. In ATT&CK terms this is T1190 (exploit public-facing application) into T1548 (abuse elevation control) into T1078 (valid accounts) and T1556/T1111 (modify authentication / intercept MFA) for the stolen seeds.

The implication is blunt: on a device where the attacker reached root and pulled session and TOTP stores, upgrading the firmware evicts the vulnerability but not the intruder. You have to assume the credential material is gone.

Remediation

Treat any internet-exposed SMA1000 running a vulnerable build as compromised until forensics say otherwise. The order below matters.

1. Am I affected?

The SMA1000 series — SMA6210, SMA7210, SMA8200v, and CMS — is affected on these builds (per SonicWall SNWLID-2026-0008):

  • 12.4.3-03245, 12.4.3-03387, 12.4.3-03434
  • 12.5.0-02283, 12.5.0-02624, 12.5.0-02800

Check your running firmware in the management console or via the appliance banner. The lower-numbered SMA100 series and the Gen7 firewalls are a different product line and are not covered by this notice — do not let that reassure you if you run SMA1000.

2. Patch — exact fixed versions

Upgrade to, verbatim from the vendor notice:

  • 12.4.3-03453 and higher, or
  • 12.5.0-02835 and higher

There is no configuration workaround that closes the unauthenticated SSRF while leaving the appliance in service. Patching is the control.

3. Can't patch this hour? — compensating controls

If you genuinely cannot apply the update immediately, the honest guidance from BOD 26-04 applies: take the appliance offline. As interim hardening while you stage the upgrade:

  • Restrict management-plane exposure (ports 8188 and the internal management services must never be internet-reachable).
  • Front the Work Place interface with a WAF rule that rejects /wsproxy requests whose host/target parameters resolve to loopback (localhost, 0.0.0.0, 127.0.0.1, ::ffff:127.0.0.1) — this blunts the SSRF primitive but is not a substitute for the patch.
  • Constrain source IPs to known VPN client ranges if your user population allows it.

4. Hunt for compromise — signals and IOCs

Pull the appliance logs before re-imaging. Look for:

  • extraweb_access.log — websocket-proxy abuse: entries matching GET + wsproxy + =-3389 + HTTP status 101; host parameters of 0.0.0.0, localhost, or ::ffff:127.0.0.1.
  • ctrl-service.logremove_hotfix invocations containing path-traversal sequences (../../../../../../tmp/) and any "hotfix removal" events you did not initiate.
  • /var/lib/unit/conf.json — suspicious routes injected for /__api__/login, /__api__/logout, or /wsproxy.
  • Session-theft artifacts — reads of /tmp/temp.db*.
  • Network — inbound from the IP ranges Rapid7 attributes to ASN 206092 (F.N.S Holdings Limited): 45.131.194.0/24, 45.146.54.0/24, 63.135.161.0/24, 173.239.211.0/24, and hosts 193.37.32.179, 193.37.32.214, 216.73.163.151, 216.73.163.158.
  • Downstream — AD authentications to domain controllers sourced from the appliance's internal IP, especially under the LDAP service account or from non-corporate hostnames (kali and similar). This is the lateral-movement tell, and it lives in your DC logs, not the appliance.

Map findings to T1190, T1548, T1078, T1556/T1111.

5. Eradicate + verify

Because the attacker had root and access to credential stores, SonicWall's own guidance is to re-image or re-deploy any appliance where compromise is suspected — a firmware upgrade over a live compromise is not eradication. After a clean rebuild on a fixed build:

  • Reset all credentials that ever authenticated through or were stored on the appliance — local admins, service accounts, and the integrated LDAP service account in particular.
  • Re-issue TOTP/MFA seeds for affected users. Stolen seeds mean the second factor is compromised until re-provisioned; do not skip this because passwords were changed.
  • Invalidate all active sessions — the exfiltrated session database contains tokens that survive password resets.
  • Verify clean after patching, not before: confirm the fixed firmware, confirm no rogue routes in conf.json, and confirm the IOCs above are absent on a fresh capture.

Where Zero Hunt fits

Everything above is a chain, not a CVE — and that is the point most scanners miss. A version-match tool tells you the box is running 12.5.0-02800 and flags two CVEs. It does not tell you that the unauthenticated SSRF reaches the management console, that the "authenticated" injection is therefore practically pre-auth, or that the realistic outcome is root plus a stolen TOTP store. The gap between "two CVEs present" and "here is the working path from the internet to your domain controller" is where real risk lives.

Zero Hunt's 10-agent AI swarm is built to close that gap. On an appliance like this, the Recon and Web agents map the exposed Work Place and management surfaces, the Exploit agent's generative engine writes a per-target SSRF primitive against the actual /wsproxy behaviour rather than replaying a public PoC, and the Pivot and Post-Exploit agents carry that origin into the console injection and out to the credential and TOTP stores — proving the whole chain, or proving it doesn't reach. Every skill the swarm uses is backtested in the AI Gym against black-box CVE corpora before it touches a production asset, and every finding is ECDSA-signed so the evidence — this input, this response, root here — stands up in an audit or an insurance claim. Because the appliance is on-perimeter and change-triggered campaigns fire within the hour of a new asset appearing, the chain gets exercised on your schedule, not the attacker's.

And for the part patching cannot undo — the credential harvest and the VPN-less pivot to AD — Zero Hunt's on-appliance traffic model watches the wire while it happens: the four inference heads flag the anomalous internal-origin authentications to your domain controllers, the session-store reads, and the outbound staging that firmware upgrades never see, running locally on the appliance GPU rather than waiting for tomorrow's SIEM digest. The vulnerability had a patch on 14 July. The intrusion behind it needs to be hunted — and that is a different job.