ctipilot.ch

UTA0533

actor · actor:uta0533

Volexity's tracking designation for the actor exploiting the SonicWall SMA 1000 zero-day chain (CVE-2026-15409 SSRF, CVE-2026-15410 path-traversal command injection) as zero-days from at least 2026-06-22; deploys the KNUCKLEBALL Python injection loader to run a modified Suo5 HTTP proxy and the ORANGETAIL Java webshell inside the appliance's legitimate workplace process, captures cleartext LDAP credentials, and pivots into internal networks (Volexity, 2026-07-17). No public geopolitical attribution.

Coverage timeline
1
first 2026-07-18 → last 2026-07-18
Peak priority
high
1 high
Sources cited
3
3 hosts
Sections touched
1
updates
Co-occurring entities
3
see Related entities below
ATT&CK techniques
9
pinned v19.1 · see below

Hunting pivots

Affected products
SonicWall Secure Mobile Access (SMA) 1000

ATT&CK techniques

9 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1133External Remote Services×1

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Persistence TA0003

T1037.004Boot or Logon Initialization Scripts: RC Scripts×1

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

T1133External Remote Services×1

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Privilege Escalation TA0004

T1037.004Boot or Logon Initialization Scripts: RC Scripts×1

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Stealth TA0005

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Credential Access TA0006

T1040Network Sniffing×1

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Discovery TA0007

T1040Network Sniffing×1

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Command and Control TA0011

T1090.003Proxy: Multi-hop Proxy×1

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

Evidence: 2026-07-18/sonicwall-sma1000-uta0533-exploitation-kill-chain · ATT&CK page ↗

Story timeline

  1. 2026-07-18SonicWall SMA 1000 zero-day exploitation (CVE-2026-15409/-15410): Volexity reconstructs UTA0533's full appliance-to-network kill chain
    updatesVolexity attributes the SonicWall SMA 1000 zero-day exploitation to UTA0533 and details the SSRF-to-root chain, on-appliance implants and LDAP credential theft

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

uses

Where this entity is cited

  • updates1

Source distribution

  • psirt.global.sonicwall.com1 (33%)
  • rapid7.com1 (33%)
  • volexity.com1 (33%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about UTA0533 (1)

2026-07-18 · view entry permalink →

HIGHCVE-2026-15409 +1exploitedupdateNATOB1

SonicWall SMA 1000 zero-day exploitation (CVE-2026-15409/-15410): Volexity reconstructs UTA0533's full appliance-to-network kill chain

UPDATE · originally covered CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited (2026-07-14)

The original entry recorded SonicWall's confirmation that CVE-2026-15409/-15410 were being exploited as zero-days and directed emergency patching. Volexity has now published the reconstructed intrusion, attributed it to an actor it tracks as UTA0533, and shown that patching alone is insufficient — the delta below is the full kill chain, the on-appliance implants, and the compromise-response guidance the terse advisory did not carry (Volexity, 2026-07-17).

Volexity was engaged after suspect authentication and lateral movement were seen originating from SonicWall SMA 1000 appliances (models 6210/7210/8200v); the earliest sign of compromise was 2026-06-22, weeks before SonicWall's 2026-07-14 disclosure (Volexity, 2026-07-17). SonicWall's PSIRT confirms it "has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory" (SonicWall SNWLID-2026-0008, 2026-07-14), and Rapid7's MDR team independently found the same two zero-days under attack (Rapid7, 2026-07-16).

Initial access (T1190, T1133). CVE-2026-15409 is a pre-authentication server-side request forgery in the SMA 1000 /wsproxy endpoint. A crafted WebSocket-upgrade request establishes a tunnel from the unauthenticated external attacker straight to services that are supposed to be reachable only on the appliance's own loopback — Volexity confirms "no valid SMA session cookie was required during this process" (Volexity, 2026-07-17). Through the tunnel the actor reached the appliance's bundled CouchDB/Erlang services and a localhost-only control service; the shipped CouchDB carries hardcoded admin:admin credentials, and the control service's authentication password is derivable from a device UUID, so the SSRF turns both into part of the external attack surface.

Privilege escalation (T1068). CVE-2026-15410 is a path traversal in the hotfix-rollback workflow: the sysCtrl.execRemoveHotfix operation builds a rollback path from caller-controlled input and hands it to /usr/local/bin/remove_hotfix, which then executes it. A rollback name containing directory-traversal sequences resolves outside the intended rollback directory and runs an attacker-staged script as root.

Persistence and implants (T1055, T1505.003, T1090.003, T1037.004). With root, UTA0533 dropped a setuid helper and a Python loader Volexity calls KNUCKLEBALL, which injects two JAR archives into the appliance's legitimate workplace process: the open-source Suo5 HTTP proxy-forwarder and a Behinder-like Java webshell Volexity calls ORANGETAIL. Persistence was established by adding a call to the loader inside the appliance's workplace init script, and the NGINX Unit configuration was rewritten to add routes that proxy attacker-chosen (arbitrary) request paths to the injected webshell and proxy — so hunting for a fixed URL is the wrong shape; the behaviour is unexpected route entries in the appliance's own reverse-proxy configuration.

Credential access and lateral movement (T1040, T1059). The actor ran tcpdump from a script staged in the appliance's temp directory to capture unencrypted LDAP traffic (TCP 389), harvesting directory credentials off the wire (Volexity, 2026-07-17). Rapid7's engagement observed the actor then "quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network" (Rapid7, 2026-07-16). How far that onward movement reached differs across the two IR firms' cases: Volexity concludes that in the appliances it investigated, "available evidence suggests the threat actor was less successful moving laterally or gaining access to other systems" (Volexity, 2026-07-17) — so treat a foothold on the appliance as a demonstrated launch point for internal movement, but not evidence that deep lateral movement always succeeds.

No valid SMA session cookie was required during this process.

Volexity 2026-07-17

SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.

SonicWall PSIRT (SNWLID-2026-0008) 2026-07-14

the threat actors quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network

Rapid7 2026-07-16
threat18 Jul 04:35Zmulti-sourceOpen finding ↗