2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)
Initial Access TA0001
T1190Exploit Public-Facing Application×1
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
trending-vulnerabilitiesSonicWall confirms active exploitation of an unauthenticated SMA1000 SSRF chained to code injection for full appliance takeover
Where this entity is cited
trending-vulnerabilities1
Source distribution
psirt.global.sonicwall.com1 (100%)
Co-occurring entities
Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.
SonicWall's PSIRT advisory SNWLID-2026-0008 (first published 2026-07-14) states it has investigated "multiple cases indicating the active exploitation" of two new SMA1000 flaws (SonicWall PSIRT, 2026-07-14); both CVEs carry a same-day CISA KEV listing (recorded in this entry's CVE status, confirmed against the KEV feed). CVE-2026-15409 (CVSS 10.0, CWE-918) is a server-side request forgery in the SMA1000 Work Place interface that lets a remote, unauthenticated attacker force the appliance to issue requests to an attacker-chosen location; the scope-changed CVSS vector (S:C) indicates the SSRF reaches beyond the vulnerable component's own security boundary. CVE-2026-15410 (CVSS 7.2, CWE-94) is a post-authentication code-injection flaw in the SMA1000 Appliance Management Console (AMC) that lets an authenticated administrator-level session run arbitrary OS commands — read together with the pre-auth SSRF, the pair forms a chain from zero access toward root-equivalent appliance control. The affected firmware is SMA1000 6210/7210/8200v on 12.4.3-03245/03387/03434 and 12.5.0-02283/02624/02800; the fix is platform-hotfix 12.4.3-03453 or 12.5.0-02835, and SonicWall explicitly states neither flaw affects SSL-VPN running on SonicWall firewalls or the SMA100 series (SonicWall PSIRT, 2026-07-14).
SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
Sean Koessel and Steven Adair of Volexity - helped advance SonicWall's PSIRT investigation, leading to the identification of an additional IOC.