ctipilot.ch
← Back to the live brief
HIGHCVE-2026-15409 +1exploitedupdateNATOB1threatdeep dive

SonicWall SMA 1000 zero-day exploitation (CVE-2026-15409/-15410): Volexity reconstructs UTA0533's full appliance-to-network kill chain

discovered 2026-07-18 04:35 UTCrun 2026-07-18T0409Z-intel3 sourcesmulti-source

UPDATE · originally covered CVE-2026-15409 — SonicWall SMA1000: unauthenticated SSRF (CVSS 10.0) chained to post-auth code injection, actively exploited (2026-07-14)

The original entry recorded SonicWall's confirmation that CVE-2026-15409/-15410 were being exploited as zero-days and directed emergency patching. Volexity has now published the reconstructed intrusion, attributed it to an actor it tracks as UTA0533, and shown that patching alone is insufficient — the delta below is the full kill chain, the on-appliance implants, and the compromise-response guidance the terse advisory did not carry (Volexity, 2026-07-17).

Volexity was engaged after suspect authentication and lateral movement were seen originating from SonicWall SMA 1000 appliances (models 6210/7210/8200v); the earliest sign of compromise was 2026-06-22, weeks before SonicWall's 2026-07-14 disclosure (Volexity, 2026-07-17). SonicWall's PSIRT confirms it "has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory" (SonicWall SNWLID-2026-0008, 2026-07-14), and Rapid7's MDR team independently found the same two zero-days under attack (Rapid7, 2026-07-16).

Initial access (T1190, T1133). CVE-2026-15409 is a pre-authentication server-side request forgery in the SMA 1000 /wsproxy endpoint. A crafted WebSocket-upgrade request establishes a tunnel from the unauthenticated external attacker straight to services that are supposed to be reachable only on the appliance's own loopback — Volexity confirms "no valid SMA session cookie was required during this process" (Volexity, 2026-07-17). Through the tunnel the actor reached the appliance's bundled CouchDB/Erlang services and a localhost-only control service; the shipped CouchDB carries hardcoded admin:admin credentials, and the control service's authentication password is derivable from a device UUID, so the SSRF turns both into part of the external attack surface.

Privilege escalation (T1068). CVE-2026-15410 is a path traversal in the hotfix-rollback workflow: the sysCtrl.execRemoveHotfix operation builds a rollback path from caller-controlled input and hands it to /usr/local/bin/remove_hotfix, which then executes it. A rollback name containing directory-traversal sequences resolves outside the intended rollback directory and runs an attacker-staged script as root.

Persistence and implants (T1055, T1505.003, T1090.003, T1037.004). With root, UTA0533 dropped a setuid helper and a Python loader Volexity calls KNUCKLEBALL, which injects two JAR archives into the appliance's legitimate workplace process: the open-source Suo5 HTTP proxy-forwarder and a Behinder-like Java webshell Volexity calls ORANGETAIL. Persistence was established by adding a call to the loader inside the appliance's workplace init script, and the NGINX Unit configuration was rewritten to add routes that proxy attacker-chosen (arbitrary) request paths to the injected webshell and proxy — so hunting for a fixed URL is the wrong shape; the behaviour is unexpected route entries in the appliance's own reverse-proxy configuration.

Credential access and lateral movement (T1040, T1059). The actor ran tcpdump from a script staged in the appliance's temp directory to capture unencrypted LDAP traffic (TCP 389), harvesting directory credentials off the wire (Volexity, 2026-07-17). Rapid7's engagement observed the actor then "quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network" (Rapid7, 2026-07-16). How far that onward movement reached differs across the two IR firms' cases: Volexity concludes that in the appliances it investigated, "available evidence suggests the threat actor was less successful moving laterally or gaining access to other systems" (Volexity, 2026-07-17) — so treat a foothold on the appliance as a demonstrated launch point for internal movement, but not evidence that deep lateral movement always succeeds.

No valid SMA session cookie was required during this process.

Volexity 2026-07-17

SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.

SonicWall PSIRT (SNWLID-2026-0008) 2026-07-14

the threat actors quickly shifted to lateral movement, pivoting from the compromised appliance directly into the internal corporate network

Rapid7 2026-07-16

Defender actions

  • Treat any SonicWall SMA 1000 that was internet-exposed and unpatched before the hotfix as compromised, not merely vulnerable: re-image rather than patch in place, then reset all account passwords and TOTP seeds — UTA0533 established on-appliance persistence and captured cleartext LDAP credentials, so stolen secrets and implants survive the patch.

ATT&CK mapping

9 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1133External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

overlap matrix · ATT&CK page ↗

T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1059Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1037.004Boot or Logon Initialization Scripts: RC Scripts

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

overlap matrix · ATT&CK page ↗

T1133External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

overlap matrix · ATT&CK page ↗

T1505.003Server Software Component: Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1037.004Boot or Logon Initialization Scripts: RC Scripts

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

overlap matrix · ATT&CK page ↗

T1055Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

overlap matrix · ATT&CK page ↗

T1068Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1055Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1040Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

overlap matrix · ATT&CK page ↗

Discovery TA0007
T1040Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1090.003Proxy: Multi-hop Proxy

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.