top of page

SonicWall customers face severe exploit chain: Patching alone is not enough

SonicWall network device users have once again entered a tense new race against hackers. This time, the culprit is a pair of zero-day security vulnerabilities actively being exploited in the wild, threatening to take complete control of corporate systems.

The danger of the vulnerability duo

SonicWall has officially announced information regarding two new security vulnerabilities with the identifiers CVE-2026-15409 and CVE-2026-15410. Although the manufacturer claimed that one of their employees discovered these flaws, experts from security firm Rapid7 revealed a troubling reality: attackers had silently exploited them since June 22 - about three weeks before the patch was released.

The most dangerous aspect of this campaign is that the attackers did not use them individually but combined these two vulnerabilities (exploit chaining) to create a complete attack sequence. The affected product line is the SonicWall SMA1000 remote access appliance.

Of these two flaws, one reaches maximum severity, allowing hackers to send forged requests under the guise of valid users, while the other allows unauthorized command injection into the system. When combined, this pair of vulnerabilities throws the door wide open, allowing hackers to go from zero - no access privileges at all - to gaining full remote control of the device over the Internet.

According to experts' assessments, the ultimate goal of this hacking group is highly likely to distribute ransomware. Fortunately, in the cases documented by Rapid7, experts managed to timely prevent the attackers' data theft and system encryption behaviors.

The most dangerous aspect of this campaign is that the attackers combined two vulnerabilities (exploit chaining) to create a complete attack sequence.
The most dangerous aspect of this campaign is that the attackers combined two vulnerabilities (exploit chaining) to create a complete attack sequence.

Scope of impact and SonicWall's response

Currently, SonicWall is keeping specific details about the identity, origin, and precise motives of the hacking group behind the attacks confidential. Regarding the scale, the tech firm reassured that the affected SMA1000 device line accounts for only a very small percentage (under 5,000 devices) out of approximately 1 million active sensors globally. However, the company confirmed that it has been directly assisting in handling multiple real-world attack cases.

Given the serious nature of the incident, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately added both zero-day vulnerabilities to its catalog of actively exploited flaws.

A media representative for SonicWall shared that the company prioritized response speed above all else. Within just a few days of becoming aware of the threat, the engineering team successfully developed an automated script to help affected customers quickly remediate the incident, alongside releasing a software update.

A wake-up call and expert advice

This is not the first time SonicWall devices have become prime targets for cybercriminals. Looking back at history, since late 2021, up to 17 security flaws related to the company's products have been placed on CISA's emergency warning list. Ten of those were exploited for ransomware campaigns, typically exemplified by the Akira ransomware attack wave in mid-2025. Even earlier in 2025, a state-sponsored hacking group breached the company's cloud environment and stole the firewall configurations of all customers.

In light of this situation, cybersecurity experts emphasize a reality: for vulnerabilities that were already exploited before a patch became available, updating the software to the latest version is a necessary but insufficient condition. Since attackers may have already hidden within the system beforehand, businesses need to proactively review and search for signs of intrusion based on the advisory data provided by SonicWall.


The attack on SonicWall devices once again reminds organizations of the harsh reality of the cybersecurity battlefield. As cybercriminals always seek to stay one step ahead using zero-day vulnerabilities, a proactive defense mindset and regular system assessment are the keys to ensuring the safety of corporate data.

Reference: CyberScoop

Comments


follow ipsip vietnam.png
40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ
png-clipart-iso-iec-27001-information-security-management-iso-iec-27002-international-orga
soc 2 type ii

Our Services

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page