Secretus logoSecretus

Stolen TOTP seeds and a CVSS 10: the week your MFA became the loot

·6 min read

If you run anything at a network edge, this was a long week. In the span of a few days: two SonicWall zero-days exploited in the wild (one scoring a perfect CVSS 10.0), a critical account-takeover flaw in Zoom for Windows, a record-breaking Microsoft Patch Tuesday, and a CISA warning about active exploitation of on-premises SharePoint. Underneath the patching chaos runs one quieter theme worth pulling out: what the attackers were actually taking.

SonicWall: the appliance as a secrets vault — for the attacker

SonicWall warned that two SMA1000 vulnerabilities are being exploited in tandem as zero-days: CVE-2026-15409, an unauthenticated server-side request forgery in the Work Place interface rated CVSS 10.0, and CVE-2026-15410, a post-authentication command injection in the management console. Affected models include the SMA6210, SMA7210 and SMA8200v; the US government gave federal agencies until July 17 to patch or unplug.

The payload is the part that deserves a second read. Per incident responders, the attackers used the chain for stealthy initial access and then extracted credentials, active session databases, and TOTP seed configurations. Read that last one again: the seeds that generate your six-digit MFA codes. Whoever holds the seed can mint valid codes forever — your second factor stops being a factor. It's a reminder that MFA seeds, session stores and cached credentials are secrets like any other, and the appliances that hold them are single points where thousands of them can be stolen at once.

The rest of the fire drill

  • Zoom Workplace for Windows (CVE-2026-53412, CVSS 9.8) — a critical flaw that could enable account takeover; updates are out. Collaboration tools sit on every machine in the company, which makes them perimeter whether you think of them that way or not.
  • Microsoft Patch Tuesday — a record ~570 vulnerabilities addressed in one cycle, including two zero-days already exploited in attacks and one publicly disclosed. Patch pipelines built for a few dozen fixes a month are being stress-tested by volume alone.
  • SharePoint, again — CISA warned that three vulnerabilities in internet-exposed on-premises SharePoint servers are under active exploitation. If last year's ToolShell wave didn't move your on-prem SharePoint behind a VPN or into retirement, this is the second memo.
  • Also this week: US military health beneficiaries' data was exposed in a breach at TRICARE West, and Spanish police disrupted a fraud ring accused of laundering €140 million from cyberattacks — a useful reminder that the money side of this economy is industrial too.

The pattern: secrets concentrate at the edge

The SonicWall incident is the cleanest illustration in months of a truth that patch notes tend to bury: edge appliances aren't just doors, they're warehouses. VPN concentrators and secure-access gateways hold password caches, live sessions, and MFA material for the whole workforce. Compromise one and you don't need to phish anyone — you walk out with the identity layer itself. The same logic applies to anywhere else secrets pool: chat exports, ticketing systems, CI logs, inboxes.

What actually helps

  • Patch the named boxes now — SMA1000 (both CVEs), Zoom for Windows, exposed SharePoint. The federal deadline for SonicWall was this week for a reason: exploitation is current, not theoretical.
  • After patching, assume extraction. If an exploited appliance held credentials, sessions or TOTP seeds, rotate them — re-enroll MFA where seeds may have left. A patched box with stolen seeds is still a compromised identity system.
  • Prefer phishing-resistant, device-bound factors. Passkeys and hardware keys don't have a seed file an appliance can leak. TOTP was a huge upgrade over passwords; it still depends on a shared secret sitting in storage somewhere.
  • Keep secrets moving, not resting. Every archive of credentials — in an appliance, an inbox, a chat history — is a future headline waiting for its CVE. Share secrets over channels that expire and self-destruct, keep the durable copies in a proper manager, and let everything in between be short-lived.

A note on sourcing: the incidents above were reported this week by the vendors themselves, national agencies, and established security press. Details of the SonicWall intrusions come from public incident-response reporting and may evolve as investigations continue.

Share a secret the safe way

End-to-end encrypted, one-time links — free, no account needed.

Try Secretus