CISA Adds Four Actively Exploited Vulnerabilities, Including SonicWall and Microsoft…
- CVE ID
- CVE-2026-15409, CVE-2026-15410, CVE-2026-56155, CVE-2026-56164
- CVSS Score
- N/A
- Affected Products
- SonicWall SMA1000 Appliances, Microsoft Active Directory Federation Services (AD FS), Microsoft SharePoint Server
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) announced on July 14, 2026, the addition of four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These additions are based on confirmed evidence of active exploitation in the wild, underscoring their immediate threat to federal civilian executive branch (FCEB) agencies and, by extension, all organizations. The newly cataloged vulnerabilities include two critical flaws affecting SonicWall SMA1000 Appliances and two significant vulnerabilities impacting Microsoft’s Active Directory Federation Services (AD FS) and SharePoint Server. These types of actively exploited vulnerabilities represent frequent attack vectors for malicious cyber actors and pose substantial risks to enterprise environments.
Technical Details
The four vulnerabilities added to the KEV Catalog are:
- CVE-2026-15409: SonicWall SMA1000 Appliances Server-Side Request Forgery (SSRF) Vulnerability. This flaw in SonicWall’s Secure Mobile Access (SMA) 1000 series appliances could allow an attacker to make arbitrary requests from the server, potentially leading to information disclosure or further compromise of internal systems.
- CVE-2026-15410: SonicWall SMA1000 Appliances Code Injection Vulnerability. Also affecting the SMA1000 series, this vulnerability allows for the injection of malicious code, which could enable remote code execution or other severe impacts.
- CVE-2026-56155: Microsoft Active Directory Federation Services (AD FS) Insufficient Granularity of Access Control Vulnerability. This is an elevation of privilege vulnerability in AD FS that, if successfully exploited, allows an authorized attacker to elevate their privileges locally. While initially rated as “Important” by Microsoft, its active exploitation makes it a critical concern.
- CVE-2026-56164: Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability. This vulnerability allows an unauthorized attacker to perform spoofing over a network due to missing authentication for a critical function within SharePoint Server. Successful exploitation can lead to privilege elevation without existing privileges and with low attack complexity. Despite a relatively low CVSS v3 base score, Microsoft acknowledges the criticality due to active exploitation.
These vulnerabilities were also highlighted in Microsoft’s July 2026 Patch Tuesday release, where CVE-2026-56155 and CVE-2026-56164 were specifically noted as being exploited in the wild.
Real-World Impact
The active exploitation of these vulnerabilities means that threat actors are actively leveraging these flaws to gain unauthorized access, elevate privileges, or execute malicious code within targeted organizations. For SonicWall SMA1000 users, exploitation could lead to network-level compromise, enabling attackers to move laterally and access sensitive data. For Microsoft AD FS and SharePoint users, the exploited vulnerabilities could result in unauthorized access to sensitive information, administrative control over affected systems, and further penetration into an organization’s network. The AD FS flaw, in particular, could allow an attacker to gain higher levels of control within an identity management system, which is critical for accessing various enterprise resources. The SharePoint vulnerability is equally concerning, as it allows unauthenticated attackers to achieve privilege escalation over the network.
Threat Landscape
The addition of these vulnerabilities to CISA’s KEV Catalog underscores the persistent and evolving threat landscape. Both SonicWall and Microsoft products are widely deployed in enterprise and government environments, making them attractive targets for various threat actors, including state-sponsored groups and cybercriminal organizations. The fact that these vulnerabilities are being actively exploited signifies that threat actors have developed reliable exploit techniques and are using them in ongoing campaigns. This highlights the importance of timely patching and proactive vulnerability management as a foundational element of cybersecurity defense.
Remediation
In accordance with Binding Operational Directive (BOD) 26-04, federal agencies are mandated to remediate these vulnerabilities rapidly. CISA strongly urges all organizations, regardless of sector, to adopt a risk-based vulnerability management strategy and prioritize the immediate remediation of all vulnerabilities listed in the KEV Catalog. Specific actions for these vulnerabilities include:
- SonicWall SMA1000 Appliances: Apply the latest security patches and firmware updates released by SonicWall for CVE-2026-15409 and CVE-2026-15410. Organizations should also review their network configurations and access controls to limit exposure of these devices.
- Microsoft Active Directory Federation Services (AD FS): Apply the security update for CVE-2026-56155 as part of Microsoft’s July 2026 Patch Tuesday. Organizations should also ensure that AD FS deployments adhere to best practices for secure configuration and monitoring for suspicious activity.
- Microsoft SharePoint Server: Deploy the security update for CVE-2026-56164 as part of Microsoft’s July 2026 Patch Tuesday. Given the unauthenticated nature of the attack, internet-facing SharePoint servers are particularly at risk and require urgent attention. All organizations should also conduct thorough scans to detect any signs of compromise if these vulnerabilities were present on their systems prior to patching.
Related content
Actively Exploited Zero-Days in Microsoft SharePoint and AD FS Demand Immediate Patching
AdvisoryUrgent: Actively Exploited Microsoft ADFS Privilege Elevation Vulnerability…
AdvisoryCritical SonicWall SMA1000 SSRF Demands Immediate Action
AdvisoryAdvisory: Critical Code Injection in SonicWall SMA1000 Appliances
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call