U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The flaws added to the catalog are:

  • CVE-2026-15409 SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
  • CVE-2026-15410 SonicWall SMA1000 Appliances Code Injection Vulnerability
  • CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
  • CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability

This week, SonicWall confirmed the active exploitation of two zero-day vulnerabilities affecting Secure Mobile Access (SMA) 1000 appliances. The vulnerabilities were internally discovered and reported by Adam Babis of the company’s PSIRT.

The company investigated multiple incidents indicating these vulnerabilities are being actively exploited in the wild.

The first vulnerability, tracked as CVE-2026-15409 (CVSS score of 10.0), is a Server-side request forgery (SSRF) issue that a remote unauthenticated attacker could exploit to potentially cause the appliance to make requests to an unintended location.

“A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.” reads the advisory.

The second vulnerability, tracked as CVE-2026-15410 (CVSS score of 7.2), is a post-authentication code injection flaw in the Appliance Management Console (AMC) that a remote authenticated attacker could exploit to execute arbitrary operating system commands as administrator under certain conditions.

“Post-authentication improper control of generation of code (‘Code Injection’) vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.” continues the advisory. “SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.”

Regarding the other two issues added to the KEV catalog this month, Microsoft’s July 2026 Patch Tuesday security updates fixed a record 621 CVEs, including two that are being actively exploited as zero-days.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to urgently fix the vulnerabilities by July 17, 2026, except CVE-2026-56155, which must be addressed by July 28, 2026

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter