Ransomware Gang Exploited Two SonicWall Security Flaws Before a Fix Existed
A group tied to Inc ransomware broke into enterprise networks through a pair of critical holes in SonicWall remote-access devices, stealing credentials and preparing to lock down files.

Key points
- SonicWall published a security advisory on July 14 covering two critical flaws, CVE-2026-15409 and CVE-2026-15410, in its SMA 1000 Series remote-access appliances.
- CVE-2026-15409 received a perfect 10-out-of-10 severity score and required no password or login to exploit.
- Security firm Rapid7 confirmed on July 15 that attackers connected to the Inc ransomware group had already used both flaws to break into multiple company networks.
- The US government's cybersecurity agency CISA added both flaws to its official list of actively exploited vulnerabilities on July 14.
- SonicWall has released a fix; Rapid7 warns that patching alone is not enough if the device was already broken into.
Criminals linked to a ransomware operation called Inc broke into corporate networks through a pair of security holes in SonicWall networking devices, security firm Rapid7 confirmed last week. They were using the flaws as zero-days, meaning they exploited the weaknesses before SonicWall even knew the problems existed, let alone had a chance to fix them.
The target was SonicWall's SMA 1000 Series, a family of appliances that sit between an organisation's internal computer network and the public internet, letting employees connect securely from outside the office. Because these devices sit at exactly that boundary, breaking into one gives attackers a foothold inside a company's walls.
How did the hackers get in?
The first flaw, CVE-2026-15409, scored a perfect 10 out of 10 on the standard scale security researchers use to measure severity. It requires no username, no password, nothing. An outsider on the internet could send specially crafted web requests to the device's login portal, tricking it into reaching internal company systems on the attacker's behalf. That technique is called server-side request forgery, and here it handed criminals a way to run their own code on the device at the highest permission level possible.
The second flaw, CVE-2026-15410, scored 7.2 out of 10. It lets someone who already has access to the device's admin panel inject commands directly into the operating system. Used together, the two flaws form a chain: the first gets attackers through the front door, the second gives them the keys to every room.
Once inside, the Inc-linked group followed a familiar playbook. They stole stored passwords, grabbed active login session data, and collected the codes used to generate one-time login tokens, meaning they could impersonate legitimate users. They then spread deeper into the networks, going after domain controllers, the servers that manage who can log in to what across an entire organisation.
Rapid7 told Dark Reading that in most cases it responded to, it stopped the criminals before they could copy files or trigger encryption. In at least one case, ransomware was deployed successfully.
Inc is a ransomware-as-a-service operation, a business model where a core group builds and rents out ransomware, which is malicious software that scrambles a victim's files until a payment is made, to affiliated criminal groups who carry out the actual break-ins.
SonicWall released a hotfix this week and is urging customers to apply it immediately. But Rapid7 issued a sharper warning: if the device was already broken into before patching, installing the update is not enough. In observed cases, attackers who maintained access actually rolled the device back to the unpatched state after the fix was applied, preserving their foothold. A full forensic review of the appliance is required to be sure the criminals are gone.
If your organisation uses SonicWall SMA 1000 appliances, apply the patch now, then have your security team review the device for signs of earlier access.



