They Stole the Second Factor Itself: SonicWall SMA Appliances Under Active Attack

By Jordan Polasek · July 18, 2026

They didn't just break into the appliance that guards your remote workers — they walked out with the keys, the spare keys, and the code to the alarm panel.

That's the honest way to describe what's happening right now with SonicWall's SMA 1000 remote-access appliances. These are the boxes a lot of Texas businesses put at the edge of their network so employees can log in securely from home, the road, or a job site. Two flaws in them are being actively exploited, and the attackers aren't just getting in — they're stealing the very thing that's supposed to stop them: your multi-factor authentication.

⚡ The 60-Second Version

What actually broke

An SMA 1000 appliance is a "secure access" gateway. Think of it as a locked, monitored front door that lets your staff reach internal systems from outside the office. Because it sits on the public internet by design, a serious flaw in it is a serious flaw in your whole network.

There are two here, and it's the combination that hurts:

On their own, each is a problem. Chained together — use the first to get a foothold, then the second to run commands — an attacker gets full control of the appliance. The affected models are the SMA 1000 Series 6210, 7210, and 8200v. The security team at Rapid7 spotted the attacks in the wild before there was even a public fix, which is exactly the kind of "the bad guys knew first" situation that should make any owner sit up.

Why this one is worse than a normal break-in

Most vulnerability stories end with "an attacker got in." This one goes a step further. Once the attackers were on these appliances, investigators watched them systematically harvest three things:

1. Login credentials — the usernames and passwords flowing through the gateway.

2. Active session databases — the digital "you're already logged in" tokens, which can let someone impersonate a user without needing the password at all.

3. TOTP MFA seed configurations — the secret codes behind those six-digit numbers in your authenticator app.

That third one is the gut punch. Multi-factor authentication is the single best protection most small businesses have. When an attacker steals the seed — the underlying secret your authenticator app uses — they can generate valid six-digit codes themselves, forever, until that seed is reset. In other words, they didn't bypass your MFA. They copied it. That's how they turn a single break-in into long-term, quiet access and use stolen domain credentials to move deeper into your network.

Who needs to care

If your business uses a SonicWall SMA 1000 appliance for remote or VPN access, this is a drop-everything item. But the broader lesson reaches further than SonicWall.

This is now a pattern we've written about repeatedly this year: the security appliance at the edge of the network — the firewall, the VPN box, the remote-support tool — has become the attacker's favorite front door. It's exposed to the internet on purpose, it's trusted deeply, and when it's patched late, it's a straight shot inside. If you own one of these devices from any vendor, the questions below apply to you too.

What this means for your business

Here's the prioritized list for this week:

How BVTech helps

If BVTech manages your network, edge appliances like these are inventoried, monitored, and patched on our schedule — not left to a quarterly to-do list — and this specific SonicWall issue is already on our radar for the clients it touches. The MFA-seed theft angle is also why we push managed clients toward phishing-resistant sign-in and prompt session and credential rotation after any edge event.

If you're not a client and you're not sure whether you have an exposed appliance — or whether it's been patched — that uncertainty is the whole problem. Take a look at your posture on our security scoreboard, read more about how we handle managed IT and cybersecurity, or just book a call and we'll help you find out. It's a short conversation, and it's a lot cheaper than the alternative.

— Jordan Polasek · Founder, BVTech LLC