CISA Adds Microsoft and SonicWall Flaws to KEV Catalog
CISA adds four actively exploited vulnerabilities affecting SonicWall SMA1000, Microsoft SharePoint, and AD FS to its KEV catalog.

The Known Exploited Vulnerabilities (KEV) catalog managed by the United States Cybersecurity and Infrastructure Security Agency (CISA) is one of the most influential threat intelligence resources in the world. When a security flaw is added to this list, it is not a theoretical warning: it means threat actors—both common cybercriminals and state-sponsored groups—are actively exploiting the vulnerability in ongoing campaigns.
On July 14, 2026, CISA updated its catalog by incorporating four new high-severity vulnerabilities affecting perimeter security appliances from SonicWall and core enterprise products from Microsoft (SharePoint and AD FS). This addition obligates U.S. federal agencies and private organizations worldwide to immediately prioritize mitigating these active risks.
Detailed View of the Newly Added Vulnerabilities
The new entries to the KEV catalog encompass flaws ranging from server-side request forgery to privilege escalation. Below are the key characteristics of the added CVEs:
| CVE Identifier | Affected Vendor & Product | Vulnerability Type | Severity (CVSS Score) | KEV Patch Deadline |
|---|---|---|---|---|
| CVE-2026-15409 | SonicWall SMA1000 | Server-Side Request Forgery (SSRF) | Critical (10.0) | July 17, 2026 |
| CVE-2026-15410 | SonicWall SMA1000 | Code Injection in Management Console | High (7.2) | July 17, 2026 |
| CVE-2026-56155 | Microsoft Active Directory AD FS | Local Privilege Escalation | Medium-High (6.8) | Immediate Mitigation |
| CVE-2026-56164 | Microsoft SharePoint Server | Network Privilege Escalation (Missing Auth) | High (7.8) | Immediate Mitigation |
Technical Analysis of the Threats and Attack Vectors
1. SonicWall SMA1000 Dual Perimeter Danger
SonicWall SMA1000 (Secure Mobile Access) series devices are physical and virtual appliances designed to provide secure remote access (VPN and SSL-VPN) to internal corporate networks. The CVE-2026-15409 flaw represents the maximum possible severity on the CVSS scale. It is an SSRF vulnerability that allows unauthenticated external attackers to force the perimeter device to send malicious HTTP requests to local administrative interfaces or protected internal servers.
Meanwhile, the CVE-2026-15410 flaw describes a code injection vulnerability in the appliance's management portal. By chaining both flaws, cybercriminals can bypass firewall access controls and execute arbitrary code with system administrator privileges on the SonicWall perimeter device.
2. Privilege Escalation in Active Directory Federation Services (AD FS)
AD FS is Microsoft's technology for single sign-on (SSO) federation across different business applications. The CVE-2026-56155 vulnerability is classified as insufficient access control granularity. A local attacker with basic domain user credentials can exploit this flaw to escalate their privileges to the AD FS service administrator level, gaining complete control over the organization's authentication tokens and the ability to impersonate senior executives.
3. Unauthenticated Access in SharePoint Server
Microsoft's SharePoint Server is the collaboration hub for document management and corporate intranets in thousands of companies. The CVE-2026-56164 flaw occurs because critical SharePoint functions lack proper authentication checks. A threat actor with network visibility to the SharePoint server can escalate privileges remotely, enabling them to download confidential databases without holding a legitimate user account.
The Patch Management Challenge in July 2026
The inclusion of these flaws in the KEV catalog coincides with the release of one of the largest and most complex "Patch Tuesday" updates in Microsoft history, which patches a cumulative total of 622 vulnerabilities across different environments.
For IT and cybersecurity teams, this volume of technical alerts makes triage extremely difficult. However, CISA's directive serves as a clear guide: immediate patching resources must prioritize flaws that are already being actively exploited in the wild. Patching AD FS controllers and SharePoint servers must be the first line of defense before addressing the rest of the non-exploited Patch Tuesday updates.
Hardening Access Authentication Using TOTP
A large portion of these privilege escalation and authentication bypass incidents in management portals or VPN consoles can be heavily mitigated by securing access with a strict two-factor authentication (2FA) scheme based on Time-based One-time Passwords (TOTP).
The TOTP algorithm adds a dynamic factor that changes periodically (typically every 30 seconds), rendering static credentials or basic privilege escalation useless, as the attacker would also need to possess the user's cryptographic software or hardware token secret.
To securely and independently implement your two-factor verification codes, you can rely on the TecnoCrypter TOTP Generator.
Technical Demonstration of the TOTP Algorithm (RFC 6238)
The logical mechanism supporting TOTP consists of mixing a pre-shared secret key with the current timestamp using hash functions. Below is an example in Python showing how systems generate and validate a 6-digit token under the IETF (RFC 6238) specifications:
import time
import hmac
import hashlib
import struct
def generate_totp_code(secret: bytes, interval: int = 30, digits: int = 6) -> str:
"""
Basic implementation of TOTP token generation.
"""
# 1. Calculate time steps elapsed since the Unix Epoch
time_steps = int(time.time() / interval)
# Pack the time value into a 64-bit binary format (Big Endian)
message = struct.pack(">Q", time_steps)
# 2. Generate HMAC-SHA1 signature using the secret and time message
signature = hmac.new(secret, message, hashlib.sha1).digest()
# 3. Dynamic truncation to deterministically extract 4 bytes from the signature
offset = signature[-1] & 0x0f
binary_code = struct.unpack(">I", signature[offset:offset+4])[0] & 0x7fffffff
# 4. Format the required digits
token = binary_code % (10 ** digits)
return str(token).zfill(digits)
# Demonstration secret key (usually decoded from Base32)
mfa_demo_key = b"SYSTEMS_SECRET_KEY_2026"
print("Current dynamic access token:", generate_totp_code(mfa_demo_key))
Integrating validations based on this model to protect AD FS consoles or administrative portals immediately blocks unauthorized remote access stemming from exploits that lack the physical verification factor.
Immediate Action Recommendations for IT Teams
If your organization uses Windows Server, on-premises SharePoint services, or SonicWall security appliances, you are advised to execute the following preventive tasks immediately:
- Urgent Patching of SonicWall SMA1000: Update your device firmware according to patching instructions provided by the manufacturer before CISA's critical deadline.
- Log Forensics: Given confirmed active exploitation, before applying updates, back up SonicWall and SharePoint connection logs to audit for strange request patterns that may indicate a compromise prior to patching.
- Restrict Console Access: Disable public internet visibility for Active Directory Federation Services and Microsoft SharePoint administration panels, restricting access exclusively through protected corporate Virtual Private Networks (VPNs).
- Secure Sharing of MFA Keys: When deploying TOTP verification for your admin team, avoid transmitting secret keys or QR codes via insecure chat channels. Follow the recommendations in our guide on how to share passwords securely on the Internet.
Conclusion
CISA's KEV catalog acts as a constant reminder that corporate cybersecurity is won in the speed of response. Active exploitation of critical flaws in SonicWall SMA1000 and Microsoft tools highlights the need for robust identity strategies. To learn more about secure system design and protecting data in transit, we recommend checking out our guides on client-side encryption and the importance of end-to-end encryption in enterprise information flows.


