Threat Summary
Category: Active Exploitation / Multiple Vulnerabilities / Enterprise Security / Identity Services / Remote Access Security
Affected Products: SonicWall SMA1000 Appliances, Microsoft Active Directory Federation Services (AD FS), Microsoft SharePoint Server
CVEs: CVE-2026-15409, CVE-2026-15410, CVE-2026-56155, CVE-2026-56164
Primary Risks: Server-Side Request Forgery (SSRF), Code Injection, Authentication Bypass, Access Control Weakness, Remote Code Execution, Privilege Escalation, Enterprise Network Compromise
Threat Status: Confirmed Active Exploitation
Affected Environment: Federal Agencies, Enterprise Networks, Critical Infrastructure, Organizations Operating SonicWall SMA1000 Appliances, Microsoft AD FS, and Microsoft SharePoint Server
Attack Vectors: Server-Side Request Forgery, Code Injection, Insufficient Access Control, Missing Authentication
CISA Action: Added to Known Exploited Vulnerabilities (KEV) Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added four newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after confirming evidence of active exploitation in operational environments.
The newly added vulnerabilities affect SonicWall SMA1000 secure remote access appliances, Microsoft Active Directory Federation Services (AD FS), and Microsoft SharePoint Server—three enterprise technologies widely deployed throughout government agencies, critical infrastructure organizations, healthcare providers, educational institutions, and private-sector enterprises.
Once vulnerabilities are added to the KEV Catalog, CISA has determined that threat actors are actively exploiting them against real-world systems, making rapid remediation a high operational priority.
The four vulnerabilities added include:
CVE-2026-15409 — SonicWall SMA1000 Appliances
Vulnerability: Server-Side Request Forgery (SSRF)
This vulnerability allows attackers to manipulate server-side requests, potentially causing affected appliances to communicate with internal systems or external resources that should not be accessible. SSRF vulnerabilities are frequently used to bypass network segmentation, enumerate internal infrastructure, access cloud metadata services, and facilitate additional stages of enterprise compromise.
CVE-2026-15410 — SonicWall SMA1000 Appliances
Vulnerability: Code Injection
Code injection vulnerabilities allow attackers to introduce malicious commands or executable code into vulnerable applications. Successful exploitation may result in remote code execution, unauthorized system control, credential theft, malware deployment, persistent access, or complete compromise of affected appliances.
Because SonicWall SMA1000 appliances frequently provide secure remote access for enterprise users, successful exploitation could expose organizations to significant operational and security risks.
CVE-2026-56155 — Microsoft Active Directory Federation Services (AD FS)
Vulnerability: Insufficient Granularity of Access Control
Microsoft Active Directory Federation Services plays a critical role in enterprise identity management by providing authentication services and federated identity capabilities across internal and cloud environments.
Access control weaknesses may allow unauthorized users to obtain permissions beyond those intended by system administrators. Identity infrastructure vulnerabilities are particularly significant because successful exploitation may enable attackers to move laterally across enterprise environments, abuse privileged accounts, or compromise authentication systems supporting multiple enterprise applications.
CVE-2026-56164 — Microsoft SharePoint Server
Vulnerability: Missing Authentication for Critical Function
Missing authentication vulnerabilities occur when sensitive application functions fail to properly verify a user’s identity before allowing access to protected functionality.
If successfully exploited, attackers may gain unauthorized access to administrative capabilities, sensitive enterprise information, collaboration platforms, or additional systems connected to SharePoint environments. Because SharePoint commonly stores organizational documents, internal communications, and business records, these vulnerabilities often become high-value targets during enterprise intrusion campaigns.
The addition of these four vulnerabilities to CISA’s KEV Catalog confirms that threat actors are actively targeting identity infrastructure, collaboration platforms, remote access appliances, and enterprise-facing services. These technologies frequently serve as high-value entry points into organizational networks because they often manage authentication, remote connectivity, privileged access, and sensitive business information.
Operational Impact
Organizations operating affected systems could face:
- Remote system compromise
- Authentication bypass
- Unauthorized administrative access
- Remote code execution
- Credential theft
- Privilege escalation
- Enterprise identity compromise
- Lateral movement across enterprise networks
- Deployment of ransomware or additional malware
- Data theft
- Long-term attacker persistence
- Business disruption
Identity management systems and remote access infrastructure remain among the most frequently targeted technologies because compromising these platforms can provide attackers with extensive access across enterprise environments.
Federal Response
CISA added these vulnerabilities to the Known Exploited Vulnerabilities Catalog under Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk.
The directive establishes mandatory vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies and requires organizations to prioritize vulnerabilities that are actively being exploited and capable of providing attackers with significant or complete control over affected systems.
BOD 26-04 also requires agencies to determine whether affected systems were compromised before security updates or mitigations were applied. Organizations should not assume that installing a patch alone eliminates risk if attackers successfully exploited vulnerable systems prior to remediation.
Although BOD 26-04 applies specifically to federal civilian agencies, CISA continues encouraging private-sector organizations, critical infrastructure operators, healthcare providers, educational institutions, financial institutions, and state and local governments to adopt the same risk-based approach when prioritizing vulnerability remediation.
KEV Catalog Continues to Expand
CISA continues expanding the Known Exploited Vulnerabilities Catalog as new evidence of active exploitation becomes available.
Security researchers, software vendors, and cybersecurity professionals who identify vulnerabilities actively being exploited may submit them for consideration through CISA’s KEV nomination process. To qualify, vulnerabilities must have an assigned CVE identifier, verified evidence of active exploitation, and clear mitigation guidance.
The process helps ensure organizations receive timely notification regarding vulnerabilities posing the greatest operational risk.
Defensive Guidance
Organizations operating affected systems should:
- Apply vendor security updates immediately.
- Identify all SonicWall SMA1000, Microsoft AD FS, and Microsoft SharePoint installations across the enterprise.
- Prioritize remediation of internet-facing systems.
- Review affected systems for indicators of compromise before and after patch deployment.
- Examine authentication, application, operating system, and security logs for suspicious activity.
- Verify that privileged accounts have not been abused.
- Search for unauthorized users, scheduled tasks, web shells, scripts, or persistence mechanisms.
- Reset privileged credentials if compromise is suspected.
- Conduct enterprise-wide vulnerability scans to identify additional exposed systems.
- Ensure endpoint detection and response (EDR) platforms continue actively monitoring affected infrastructure after remediation.
- Validate identity infrastructure and federation services for unauthorized configuration changes.
Forecast — 30 Days
- Continued internet-wide scanning targeting vulnerable SonicWall and Microsoft enterprise systems.
- Increased exploitation attempts against internet-facing identity and collaboration infrastructure.
- Additional intrusion campaigns leveraging authentication and remote access vulnerabilities.
- Elevated incident response activity involving enterprise identity environments.
- Continued additions to CISA’s KEV Catalog as new actively exploited vulnerabilities are confirmed.
- Accelerated patch deployment across federal agencies, critical infrastructure organizations, and enterprise networks.
TRJ Verdict
The addition of four new vulnerabilities affecting SonicWall SMA1000 appliances, Microsoft Active Directory Federation Services, and Microsoft SharePoint Server demonstrates that attackers continue focusing on technologies that provide direct access to enterprise authentication, remote connectivity, and collaboration environments. These systems often serve as gateways into organizational networks, making them attractive targets for ransomware operators, espionage groups, and financially motivated cybercriminals.
This latest KEV update also reinforces a growing reality within enterprise cybersecurity: identity infrastructure and remote access platforms have become some of the most strategically valuable assets attackers seek to compromise. Organizations should treat every new KEV addition as an immediate operational security event, rapidly deploy available mitigations, and conduct thorough compromise assessments to determine whether unauthorized access occurred before remediation was completed.
🔥 NOW AVAILABLE! 🔥
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified



