2026-07-18 · view entry permalink →
SonicWall SMA 1000 zero-day exploitation (CVE-2026-15409/-15410): Volexity reconstructs UTA0533's full appliance-to-network kill chain
UPDATE · originally covered CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited (2026-07-14)
The original entry recorded SonicWall's confirmation that CVE-2026-15409/-15410 were being exploited as zero-days and directed emergency patching. Volexity has now published the reconstructed intrusion, attributed it to an actor it tracks as UTA0533, and shown that patching alone is insufficient — the delta below is the full kill chain, the on-appliance implants, and the compromise-response guidance the terse advisory did not carry (Volexity, 2026-07-17).
Volexity was engaged after suspect authentication and lateral movement were seen originating from SonicWall SMA 1000 appliances (models 6210/7210/8200v); the earliest sign of compromise was 2026-06-22, weeks before SonicWall's 2026-07-14 disclosure (Volexity, 2026-07-17). SonicWall's PSIRT confirms it "has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory" (SonicWall SNWLID-2026-0008, 2026-07-14), and Rapid7's MDR team independently found the same two zero-days under attack (Rapid7, 2026-07-16).
Initial access (T1190, T1133). CVE-2026-15409 is a pre-authentication server-side request forgery in the SMA 1000 /wsproxy endpoint. A crafted WebSocket-upgrade request establishes a tunnel from the unauthenticated external attacker straight to services that are supposed to be reachable only on the appliance's own loopback — Volexity confirms "no valid SMA session cookie was required during this process" (Volexity, 2026-07-17). Through the tunnel the actor reached the appliance's bundled CouchDB/Erlang services and a localhost-only control service; the shipped CouchDB carries hardcoded admin:admin credentials, and the control service's authentication password is derivable from a device UUID, so the SSRF turns both into part of the external attack surface.
Privilege escalation (T1068). CVE-2026-15410 is a path traversal in the hotfix-rollback workflow: the sysCtrl.execRemoveHotfix operation builds a rollback path from caller-controlled input and hands it to /usr/local/bin/remove_hotfix, which then executes it. A rollback name containing directory-traversal sequences resolves outside the intended rollback directory and runs an attacker-staged script as root.
Persistence and implants (T1055, T1505.003, T1090.003, T1037.004). With root, UTA0533 dropped a setuid helper and a Python loader Volexity calls KNUCKLEBALL, which injects two JAR archives into the appliance's legitimate workplace process: the open-source Suo5 HTTP proxy-forwarder and a Behinder-like Java webshell Volexity calls ORANGETAIL. Persistence was established by adding a call to the loader inside the appliance's workplace init script, and the NGINX Unit configuration was rewritten to add routes that proxy attacker-chosen (arbitrary) request paths to the injected webshell and proxy — so hunting for a fixed URL is the wrong shape; the behaviour is unexpected route entries in the appliance's own reverse-proxy configuration.
Credential access and lateral movement (T1040, T1059). The actor ran tcpdump from a script staged in the appliance's temp directory to capture unencrypted LDAP traffic (TCP 389), harvesting directory credentials off the wire (Volexity, 2026-07-17). Rapid7's engagement observed the actor then "quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network" (Rapid7, 2026-07-16). How far that onward movement reached differs across the two IR firms' cases: Volexity concludes that in the appliances it investigated, "available evidence suggests the threat actor was less successful moving laterally or gaining access to other systems" (Volexity, 2026-07-17) — so treat a foothold on the appliance as a demonstrated launch point for internal movement, but not evidence that deep lateral movement always succeeds.
No valid SMA session cookie was required during this process.
SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.
the threat actors quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network