SonicWall SMA1000 Zero-Days CVE-2026-15409 and CVE-2026-15410 Actively Exploited; Patch Alone Is Not Enough
AK
Alex Kim Threat intelligence editor · Updated Jul 15, 2026, 4:46 PM EDT
SonicWall SMA1000 Zero-Days CVE-2026-15409 and CVE-2026-15410 Actively Exploited; Patch Alone Is Not Enough
SonicWall SMA1000 Zero-Days CVE-2026-15409 and CVE-2026-15410 Actively Exploited; Patch Alone Is Not Enough
SonicWall confirmed on July 14, 2026, that two zero-day vulnerabilities in its SMA 1000 Series secure remote-access appliances are under active exploitation in the wild, with third-party observations dating the first attacks to around June 22. The flaws—CVE-2026-15409, an unauthenticated server-side request forgery scored at CVSS 10.0, and CVE-2026-15410, an authenticated code-injection issue scored at CVSS 7.2—are being chained to move from internet exposure to full appliance compromise. CISA added both to its Known Exploited Vulnerabilities catalog with a July 17 remediation deadline for U.S. federal civilian agencies, turning a vendor hotfix into an immediate operational emergency for every organization still running listed builds.
Edge SSL VPN gateways remain prime initial-access targets. Confirmed pre-patch exploitation and a short federal window elevate this beyond a routine advisory: any SMA1000 still on vulnerable firmware must be treated as potentially breached until logs and filesystem indicators say otherwise.
Technical Nature of the Flaws
CVE-2026-15409 is a critical server-side request forgery vulnerability in the SMA1000 Appliance Work Place interface. A remote, unauthenticated attacker can force the appliance to issue HTTP(S) requests to attacker-chosen locations, pivoting into internal services or the management plane that would otherwise be access-controlled. SonicWall rates it CVSS 10.0. Root-cause detail beyond the Work Place surface is not public; no CWE identifier or specific parameter has been disclosed.
CVE-2026-15410 is a high-severity code-injection flaw in the Appliance Management Console (AMC). An attacker who already holds administrator authentication can achieve improper control of code generation and execute arbitrary operating-system commands. The vendor scores it CVSS 7.2. Successful injection yields OS-level control of the gateway itself.
Neither flaw is a single-request unauthenticated remote code execution. The accurate model is a chain: unauthenticated SSRF supplies reachability into an admin context that the second flaw then converts into OS command execution. Analysts at VulnCheck, watchTowr and Tenable describe the combined path as zero access to complete system compromise of the appliance. No public proof-of-concept code had been released at the time of the initial Tenable analysis; defenders should expect scanning volume to rise if one appears.
Observed Attacks and Attribution Signals
SonicWall PSIRT investigated multiple cases and stated the vulnerabilities “are being actively exploited in the wild.” Rapid7 reported first seeing the activity on June 22—roughly three weeks before public disclosure. In the cases Rapid7 interrupted, the observed goal was ransomware-oriented (exfiltration and encryption); overlapping tactics, techniques and procedures suggested a single actor or group. SonicWall itself has not named a threat actor or ransomware brand.
Discovery credit went first to Adam Babis of SonicWall PSIRT. A same-day advisory update also credited Sean Koessel and Steven Adair of Volexity for advancing the investigation and expanding the indicator-of-compromise list. Bret Fitzgerald of SonicWall said the company developed a customer-assist script within days of awareness and that SMA1000 units represent fewer than 5,000 devices inside a roughly one-million-sensor footprint—small absolute numbers but high per-device impact.
Affected Inventory and Impact
The vulnerabilities affect SMA 1000 models 6210, 7210, 8200v and CMS (all hypervisors). Confirmed vulnerable platform-hotfix builds are:
Branch
Vulnerable builds
12.4.3
12.4.3-03245, 12.4.3-03387, 12.4.3-03434
12.5.0
12.5.0-02283, 12.5.0-02624, 12.5.0-02800
Fixed builds are 12.4.3-03453 and higher and 12.5.0-02835 and higher. According to CSA Singapore, the flaws do not affect SSL-VPN functionality on SonicWall firewalls or the SMA 100 Series product line.
Because these appliances sit at the remote-access edge, a single compromise can yield administrator credentials, VPN session tokens and detailed topology knowledge—high-fidelity breach risk even with a modest installed base.
Vendor Response and Remediation Order
SonicWall’s product notice is unambiguous: the vulnerabilities are actively exploited, they are unrelated to concurrent issues on other SonicWall products, and “patching alone is not sufficient.” Hotfixes were delivered in advance via Support and posted to mysonicwall.com on July 14. No workarounds short of the patch-and-hunt path have been published.
Recommended operational sequence:
Inventory every SMA6210, 7210, 8200v and CMS instance (physical and virtual) and record the exact platform-hotfix version via AMC/CMC.
Upgrade immediately to 12.4.3-03453+ or 12.5.0-02835+ from mysonicwall or Support.
Hunt the vendor-supplied indicators of compromise on every appliance both before and after the upgrade.
If any indicator is present: re-image hardware appliances (6210/7210) or re-deploy virtual appliances (8200v); change all user and administrator passwords; reset all TOTP tokens.
Restore configuration only from backups that pre-date the December hotfix installs (12.4.3-03245 and 12.5.0-02283). If no such backup exists, audit the running configuration for tampering rather than restoring blindly.
Open a SonicWall Support case for scripted assistance or case-by-case guidance.
U.S. federal civilian agencies must meet the CISA KEV deadline of July 17, 2026.
Detection Guidance Security Teams Can Use Today
SonicWall (with Volexity assistance) published four concrete indicators:
Source
Signature
Interpretation
extraweb_access.log
Requests to /_api_/login or /__api__/logout returning HTTP 200
Suspicious API login/logout patterns
extraweb_access.log
Requests to /wsproxy with suspicious host parameters and HTTP 101
WebSocket-proxy abuse / SSRF-adjacent pivoting
ctrl-service.log
Entries containing “hotfix removal” with path-traversal-style names
Persistence or anti-forensics / hotfix tampering
Filesystem
/var/lib/unit/conf.json containing routes for /__api__/login and /__api__/logout
Implant or configuration-rewrite indicator
Additional practical detections include anomalous outbound requests originating from the SMA to internal management ranges (classic SSRF behavior) and AMC administrator sessions created from unexpected sources after Work Place activity. Any positive hit should be treated as full compromise of the edge device. Tenable has plugins in its pipeline for both CVEs and Attack Surface Management filters for SonicWall assets; other vendors have stated they are monitoring and releasing protections as available. No public malware family names, C2 domains or file hashes have been released, so detection remains tightly scoped to the vendor log and filesystem signatures.
B
Reach AMC / internal endpoints
D
OS command execution
Residual Risk After the Hotfix
A successful patch does not equal a clean device. Persistence via unit configuration routes, stolen credentials and compromised TOTP seeds means residual risk remains until the appliance is re-imaged or re-deployed and all secrets are rotated. Blind restoration of a post-compromise configuration backup reintroduces attacker changes—the vendor therefore gates restores on pre-December-hotfix backups.
Long-lived SSL VPN appliances concentrate identity, session state and network insight on a single internet-reachable device; SonicWall products have accumulated about 17 entries in CISA’s KEV catalog since late 2021, several ransomware-linked. Defenders should also watch for public PoC release, which historically triggers opportunistic scanning spikes against remaining unpatched units.