A previously undocumented threat actor has been attributed to the exploitation of recently disclosed SonicWall Secure Mobile Access (SMA) 1000 series VPN appliances as zero-days prior their public disclosure since June 22, 2026.
Cybersecurity company Volexity is tracking the activity under the moniker UTA0533. The discovery was made following an incident response investigation earlier this month. The impacted organization has not been identified.
"This threat actor was observed using multiple zero-day exploits, malware designed specifically for SonicWall SMA VPN appliances, as well as other attacker tradecraft," security researchers Sean Koessel and Steven Adair said in an analysis.
The vulnerabilities in question are CVE-2026-15409 (CVSS score: 10.0) and CVE-2026-15410 (CVSS score: 7.2), both of which could be chained to facilitate arbitrary command execution and take over susceptible devices. Patches for both the vulnerabilities were released by SonicWall this week.
Two SonicWall SMA VPN devices belonging to the compromised entity have been identified. The sequence of actions undertaken by the threat actor in these appliances are listed below -
-
Appliance 1:
- Writing an ELF Executable named "/usr/bin/xzfind" on June 22, 2026. The file is a setuid binary called ROOTRUN that allows an unprivileged user to execute arbitrary commands as root.
- Writing a second file name "/usr/lib/python3.11/site-packages/deploy_new.py" (aka KNUCKLEBALL), which contains two embedded JAR archives that are injected into a legitimate SonicWall process. The two payloads are Suo5, an open-source HTTP proxy, and a Behinder-like custom Java web shell dubbed ORANGETAIL. The JAR files enable the attackers to interact with them via internet-accessible URI paths: "/workplace/error.jsp" and "/workplace/dialogs/errorDialog.jsp."
- Establishing persistence by modifying the legitimate "/etc/init.d/workplace startup" script by means of the Python script downloaded in the previous step.
- Modifying the NGINX Unit configuration file at "/var/lib/unit/conf.json" to add two routes leading to Suo5 and ORANGETAIL.
-
Appliance 2:
- Making the same modifications to "/var/lib/unit/conf.json" identified on the first appliance, although the routes did not return valid responses.
- Creating multiple files in the "/var/tmp" directory, including one ("lib.sh") that launches tcpdump to inspect unencrypted LDAP traffic to extract usernames and passwords.
The second appliance is said to have fewer artifacts following a reboot on July 2, 2026, resulting in the removal of any memory-resident artifacts and backdoors.
Volexity said it identified additional files associated with exploitation and privilege escalation in the "/tmp" folder of the first appliance, with one file ("/tmp/hypdate.b64") featuring an exploit for CVE-2026-15410.
"The files in /tmp were owned by the unprivileged account used by the appliance's internal database service," the researchers explained. "This indicated the threat actor could write and likely execute files through that service context."
Further analysis of the logs and system memory led to the discovery of CVE-2026-15409, which has been described as a pre-authentication "/wsproxy" bypass that allows an unauthenticated external request to establish a WebSocket tunnel to localhost-only services on the appliance. Specifically, it involves issuing a request with a User-Agent of SMA Connect Agent and a bmID value that begins with -3389.
The external access can be abused by the threat actor to access methods defined in the "sysCtrl" endpoint, providing a pathway for deeper access by exploiting command injection, privilege escalation, and code execution flaws in the SMA control service (i.e., CVE-2026-15410).
Also flagged as part of the analysis is a separate security defect that can permit an attacker to bypass the authentication to the SMA control service ("ctrl-service"). Because the Basic authentication password is derived from the appliance-local hardware identifier ("/sys/class/dmi/id/product_uuid"), an attacker with knowledge of this UUID can determine the password needed for authentication.
What makes this trivial is that the "product_uuid" file is readable by anyone, thereby allowing an unprivileged user to obtain the value and figure out the password. That said, the UUID value is only observed for physical devices, meaning virtual appliances are not impacted.
"It should be noted that this authentication bypass does not appear to have been used in the observed incident," Volexity said. "Instead, the attacker abused a different vulnerability to read the 'product_uuid' file"
In addition, UTA0533 has been linked to the exploitation of CouchDB, a database that comes installed as part of the SMA appliance and is accessible via localhost. Although the exact operation carried out by the threat actor remains unclear, signs point to the use of the CouchDB user to read the "product_uuid" file and ultimately sidestep authentication.
"With this capability, an attacker can reach and exploit less-hardened services running on the appliance, such as the Erlang application on localhost:1050 or the ctrl-service application on localhost:8188," Rapid7 said.
A proof-of-concept (PoC) exploit released by the cybersecurity vendor establishes non-root remote code execution on SonicWall SMA 1000 devices by implementing the Erlang protocol expected by localhost:1050 and tunneling it through the WebSocket for file read-write and arbitrary code execution via RPC calls.
In all, the entire exploitation chain unfolds as follows -
- Send an unauthenticated "/wsproxy" request with the User-Agent string containing SMA Connect Agent and URI parameter starting with bmID=-3389.
- Establish a WebSocket tunnel to localhost-only services.
- Make calls to CouchDB to read, write files as the "couchdb" user.
- Stage a file in "/tmp" as the "couchdb" user that will read the /sys/class/dmi/id/product_uuid file once executed by exploiting CVE-2026-15409.
- Escalate to root by exploiting CVE-2026-15410, a path traversal flaw in the "remove_hotfix" workflow of "ctrl-service" and obtain command execution with elevated privileges.
"UTA0533 combined multiple zero-day vulnerabilities to compromise SonicWall SMA VPN appliances and obtain root-level access," Volexity said. "With root access, the threat actor could access stored or cached credentials, capture network traffic, and potentially intercept credentials processed by the appliances."
"Although UTA0533 demonstrated significant capability in compromising the SonicWall appliances, available evidence suggests the threat actor was less successful moving laterally or gaining access to other systems."
from The Hacker News https://ift.tt/M8N5oAw
via IFTTT





