Breaking: SonicWall SMA1000 Zero-Days Exploited as Enterprise Backdoors, FortiSandbox Under Sustained Attack — 17 July 2026
SonicWall SMA1000 Zero-Days Under Active Exploitation — CVSS 10.0 SSRF Turns VPN Appliances Into Backdoors
Rapid7's MDR team discovered two zero-day vulnerabilities in SonicWall SMA1000 appliances that are being actively exploited in the wild. CVE-2026-15409, a server-side request forgery flaw scoring CVSS 10.0, allows an unauthenticated attacker to open a websocket-based tunnel to arbitrary localhost-only services. CVE-2026-15410, a code injection vulnerability, enables an authenticated admin-level attacker to execute arbitrary OS commands. Together, these form a complete attack chain: unauthenticated SSRF to establish a foothold, then privilege escalation to full appliance compromise.
What makes this particularly dangerous is what Rapid7 observed in customer environments. Attackers who exploited these flaws extracted high-value Active Directory credentials, session databases, and TOTP multi-factor authentication seed configurations. They then used the compromised SMA appliance as a stealthy pivot point, making Active Directory authentications that appeared to originate from the appliance's internal IP with no corresponding VPN tunnel. The appliance became an unmonitored backdoor into directory infrastructure.
CISA added both CVEs to the Known Exploited Vulnerabilities catalog on July 14 with a remediation deadline of July 17, 2026 — today. SonicWall has released platform hotfix releases that address both vulnerabilities.
FortiSandbox Under Sustained Attack — Third Exploited CVE in 2026
CISA added two Fortinet FortiSandbox OS command injection vulnerabilities to the KEV catalog on July 16, both confirmed as actively exploited. CVE-2026-25089 (CVSS 9.8) and CVE-2026-39808 (CVSS 9.1) both allow unauthenticated remote code execution via crafted HTTP requests to the web UI. This is the third FortiSandbox vulnerability exploited in the wild during 2026, following earlier flaws patched in April that saw active exploitation by mid-June.
Threat intelligence firm Defused Cyber reports observing exploitation of both CVEs over the past 24 hours. The 3-day CISA remediation deadline (July 19) and the unauthenticated nature of the attack make this urgent for any organisation running FortiSandbox, FortiSandbox Cloud, or FortiSandbox PaaS.
Microsoft SharePoint Deserialization RCE Added to KEV
CVE-2026-58644, a deserialization of untrusted data vulnerability in Microsoft SharePoint scoring CVSS 9.8, was added to CISA's KEV catalog on July 16. The flaw allows unauthenticated remote code execution without user interaction. Microsoft initially flagged it as "exploitation more likely" in the July Patch Tuesday release, then updated the advisory within 24 hours to confirm active exploitation. The remediation deadline is July 19 under BOD 26-04.
This adds to an already problematic SharePoint security picture: CVE-2026-50522, another CVSS 9.8 unauthenticated deserialization RCE demonstrated at Pwn2Own Berlin, was also patched this month. The attack chain for these SharePoint flaws typically involves initial RCE followed by IIS machine key theft and persistent malware deployment.
So What / Action
- SonicWall SMA1000: Patch immediately with the latest platform hotfix. If patching is not possible today, isolate the appliance from internal networks and block external management access. Review logs for anomalous AD authentications originating from SMA appliance IPs without corresponding VPN sessions. Assume credential compromise: rotate all AD credentials and TOTP seeds that passed through affected appliances. - Fortinet FortiSandbox: Apply Fortinet's patches before the July 19 deadline. Inventory all FortiSandbox instances including Cloud and PaaS deployments. Check for signs of exploitation in web server logs, particularly unusual HTTP requests to management interfaces. - Microsoft SharePoint: Apply July 2026 Patch Tuesday security updates to all SharePoint servers. Rotate IIS machine keys on patched systems, not just patching alone. Restrict SharePoint admin interfaces from direct internet exposure. The pattern of SharePoint exploitation in 2026 (four separate CVEs) warrants a hardening review beyond patching. - Across all three: these are perimeter and collaboration technologies that attackers target precisely because they sit at trust boundaries. The CISA remediation deadlines are measured in days, not weeks. Prioritise accordingly.

