Back to Intelligence

CISA KEV Alert: SonicWall SMA1000 & Microsoft Critical Vulnerabilities Under Active Exploit

SA
Security Arsenal Team
July 14, 2026
7 min read

On July 14, 2026, CISA added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation in the wild. These flaws affect critical infrastructure components, specifically SonicWall Secure Mobile Access (SMA) 1000 appliances and core Microsoft identity and collaboration services (Active Directory Federation Services and SharePoint Server).

Per Binding Operational Directive (BOD) 26-04, federal agencies are required to patch these vulnerabilities by the specified deadlines due to the significant risk they pose to the federal enterprise. However, the implications extend far beyond the public sector. These vulnerabilities—ranging from Server-Side Request Forgery (SSRF) and Code Injection to Missing Authentication—represent high-value attack vectors for ransomware operators and initial access brokers targeting enterprise networks.

Given the confirmed active exploitation status, Security Arsenal recommends treating these as emergency patching events.

Technical Analysis

1. SonicWall SMA1000 Appliances (CVE-2026-15409, CVE-2026-15410)

The SMA 1000 series provides secure remote access to internal resources. The addition of these two CVEs suggests a potential attack chain allowing for full device compromise.

  • CVE-2026-15409 (Server-Side Request Forgery - SSRF): This vulnerability allows an attacker to send crafted requests from the vulnerable SMA appliance. In an SSRF attack, the server acts as a proxy, allowing the attacker to scan internal network segments, access cloud metadata services (e.g., AWS IMDSv1), or reach otherwise firewalled management interfaces.
  • CVE-2026-15410 (Code Injection): Often paired with SSRF or utilized standalone, code injection vulnerabilities allow an attacker to execute arbitrary operating system commands on the appliance. This leads to a complete takeover of the gateway, potentially giving attackers a foothold to pivot into the internal LAN or intercept VPN traffic.

2. Microsoft Active Directory Federation Services (CVE-2026-56155)

  • Vulnerability: Insufficient Granularity of Access Control.
  • Impact: AD FS is a critical identity component. An access control vulnerability here could allow an attacker to bypass standard security checks. This might involve elevating privileges within the federation service, accessing SAML tokens without proper authorization, or modifying trust relationships. This is particularly dangerous in cloud identity scenarios (Entra ID/Azure AD hybrid) where AD FS acts as the identity provider.

3. Microsoft SharePoint Server (CVE-2026-56164)

  • Vulnerability: Missing Authentication for Critical Function.
  • Impact: This is a severe class of vulnerability. If a critical function—such as file upload, configuration modification, or API access—lacks authentication, an unauthenticated remote attacker can execute privileged actions simply by sending a specific HTTP request. This often leads to Remote Code Execution (RCE) or massive data exfiltration without requiring valid credentials.

Detection & Response

Defenders must assume that scans and exploitation attempts are already occurring against external-facing interfaces. The following detection mechanisms focus on identifying web exploitation attempts and suspicious authentication patterns associated with these CVEs.

SIGMA Rules

YAML
---
title: SonicWall SMA1000 Potential Exploitation - SSRF and Injection
id: 8a4b2c1d-3e5f-4a6b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential Server-Side Request Forgery (SSRF) or Code Injection attempts against SonicWall SMA1000 appliances based on suspicious URI patterns in web logs.
references:
 - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/15
tags:
 - attack.initial_access
 - attack.t1190
 - attack.t1071
logsource:
 category: webserver
 product: sonicwall_sma
detection:
 selection:
 c-uri|contains:
   - 'cgi-bin/'
   - 'portal/'
   - '../'
   - '%2e%2e'
   - 'wget'
   - 'curl'
   - 'nc '
 c-uri|contains|any:
   - '127.0.0.1'
   - '169.254.169.254'
   - 'localhost'
 condition: selection
falsepositives:
 - Administrative testing
 - Misconfigured internal monitoring
level: high
---
title: Microsoft SharePoint Unauthenticated Critical Function Access
id: 9b5c3d2e-4f6a-5b7c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects potential exploitation of CVE-2026-56164 (Missing Authentication) by identifying successful HTTP 200 responses to sensitive SharePoint endpoints without preceding authentication events or from unusual User-Agents.
references:
 - https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/15
tags:
 - attack.initial_access
 - attack.t1190
logsource:
 category: webserver
 product: iis
detection:
 selection_uri:
 c-uri|contains:
   - '/_layouts/'
   - '/_api/'
   - '/_vti_bin/'
 selection_status:
 sc-status: 200
 selection_method:
 cs-method: 'POST'
 filter_noise:
 cs-user-agent|contains:
   - 'MSOffice'
   - 'Microsoft Office'
   - 'Microsft-CryptoAPI'
 condition: selection_uri and selection_status and selection_method and not filter_noise
falsepositives:
 - Third-party integration tools accessing APIs anonymously (if configured)
 - Heavy scanning noise
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for SonicWall SMA1000 Exploitation Indicators (CEF/Syslog)
// Looks for SSRF patterns and command injection keywords in requests
Syslog
| where SyslogMessage has "SonicWall" 
| extend Uri = extract(@"GET\s+(.*)\s+HTTP", 1, SyslogMessage)
| where Uri has_any ("cgi-bin", "portal", "../", "%2e%2e", "/etc/passwd", "wget", "curl", "powershell") 
       or Uri has_any ("127.0.0.1", "169.254.169", "10.", "192.168.")
| project TimeGenerated, Computer, ProcessName, SyslogMessage, Uri
| order by TimeGenerated desc


// Hunt for SharePoint Suspicious Access related to CVE-2026-56164
// Identify POST requests to API or Layout directories resulting in 200 OK
DeviceNetworkEvents
| where ActionType == "HttpConnectionSuccess"
| where RequestUrl has_any ("/_layouts/", "/_api/", "/_vti_bin/")
| where RequestUrl contains "POST"
| where RemoteIP !in ("192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") // Focus on external sources initially
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RequestUrl, UserAgent
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recent IIS log entries indicating SharePoint exploitation
-- Focus on POST requests to sensitive endpoints returning 200 OK
SELECT * FROM foreach(
  glob(globs='C:\inetpub\logs\LogFiles\**\*.log'),
  {
    SELECT 
      timestamp(string=Date + ' ' + Time) as EventTime,
      c_ip as ClientIP,
      cs_uri_stem as URL,
      cs_method as Method,
      sc_status as HttpStatus,
      cs_user_agent as UserAgent
    FROM parse_csv(filename=_value, delimiter=' ')
    WHERE Method =~ 'POST' 
      AND HttpStatus = '200'
      AND (URL =~ '/_layouts/' OR URL =~ '/_api/' OR URL =~ '/_vti_bin/')
      AND NOT UserAgent =~ 'MSOffice'
    ORDER BY EventTime DESC
    LIMIT 100
  }
)

Remediation Script (PowerShell)

This script assists in checking the version status of Microsoft SharePoint and AD FS. Note that for SonicWall appliances, patching must be performed via the appliance management interface.

PowerShell
<#
.SYNOPSIS
    Checks version health for Microsoft SharePoint and AD FS against recent July 2026 CVEs.
.DESCRIPTION
    This script gathers file version information for critical binaries 
    associated with CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint).
    Compare the output versions against the official Microsoft Security Update Bulletin.
#>

Write-Host "[+] Collecting AD FS Service Information..." -ForegroundColor Cyan
try {
    $adfsservice = Get-Service -Name ADFSSrv -ErrorAction SilentlyContinue
    if ($adfsservice) {
        Write-Host "    AD FS Service Status: $($adfsservice.Status)"
        $adfsdll = Get-Item "C:\Windows\ADFS\Microsoft.IdentityServer.Service.dll" -ErrorAction SilentlyContinue
        if ($adfsdll) {
            Write-Host "    Microsoft.IdentityServer.Service.dll Version: $($adfsdll.VersionInfo.FileVersion)"
        } else {
            Write-Host "    [!] Could not locate AD FS binary." -ForegroundColor Yellow
        }
    } else {
        Write-Host "    AD FS Service not found on this host."
    }
} catch {
    Write-Host "    Error checking AD FS: $_" -ForegroundColor Red
}

Write-Host ""
Write-Host "[+] Collecting SharePoint Information..." -ForegroundColor Cyan
try {
    $spreg = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\16.0\WSS" -ErrorAction SilentlyContinue
    if ($spreg) {
        Write-Host "    SharePoint Installed Version: $($spreg.ProductVersion)"
        $spwebserver = Get-Item "$env:CommonProgramFiles\Microsoft Shared\Web Server Extensions\16\bin\Microsoft.SharePoint.dll" -ErrorAction SilentlyContinue
        if ($spwebserver) {
            Write-Host "    Microsoft.SharePoint.dll Version: $($spwebserver.VersionInfo.FileVersion)"
        }
    } else {
        Write-Host "    SharePoint 2016/2019 registry keys not found."
    }
} catch {
    Write-Host "    Error checking SharePoint: $_" -ForegroundColor Red
}

Write-Host ""
Write-Host "[ACTION REQUIRED] Please compare the versions above with the security bulletin released on July 14, 2026." -ForegroundColor Yellow

Remediation

  1. Patch Immediately:

    • SonicWall SMA1000: Apply the relevant security updates released by SonicWall for CVE-2026-15409 and CVE-2026-15410. If patching is not immediately possible, strictly limit management interface access to specific source IPs and disable VPN access for untrusted users.
    • Microsoft AD FS & SharePoint: Install the July 2026 security updates from Microsoft Update. Verify that the specific patches addressing CVE-2026-56155 and CVE-2026-56164 are applied.
  2. Review Access Controls (BOD 26-04 Compliance):

    • Conduct an immediate audit of Active Directory Federation Services trust relationships and issuance policies to detect any tampering resulting from potential CVE-2026-56155 exploitation.
    • Audit SharePoint logs for any unexpected file modifications or user creations around the time of patch application to ensure compromise has not already occurred.
  3. Network Segmentation:

    • Ensure that SonicWall SMA appliances are placed in an isolated DMZ with strict egress rules to prevent SSRF-based pivoting to the internal network (CVE-2026-15409).
  4. Vendor Resources:

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevsonicwallmicrosoft-sharepointactive-directoryvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.