SonicWall is warning customers that two zero-day vulnerabilities in its SMA1000 series secure remote access appliances are under active exploitation, with attackers chaining them together to gain unauthenticated remote code execution as root. CISA added both CVEs to its Known Exploited Vulnerabilities catalog on July 14, giving federal agencies until July 17, 2026 to patch or pull the devices offline.

What Happened

SonicWall’s PSIRT, credited internally to Adam Babis, discovered the pair of flaws after investigating multiple customer incidents. Volexity’s Sean Koessel and Steven Adair assisted the investigation and helped identify an additional indicator of compromise, suggesting the bugs were first caught via incident response rather than proactive research. SonicWall confirmed active exploitation before publishing hotfixes, which puts this in the same “attacker-discovered-it-first” category as the string of Ivanti, Citrix, and Fortinet edge-device zero-days from the past two years.

SMA1000 appliances sit at the network perimeter as SSL-VPN and secure remote access gateways — exactly the kind of internet-facing box that gives an attacker a direct foothold into the internal network once compromised.

Technical Details

CVE-2026-15409 (CVSS 10.0) is a server-side request forgery vulnerability in the SMA1000 Appliance Work Place interface. It requires no authentication and lets a remote attacker force the appliance into making requests to arbitrary internal or external locations — the classic SSRF primitive for reaching internal-only services and management interfaces that shouldn’t be reachable from the WAN side.

CVE-2026-15410 (CVSS 7.2) is a post-authentication code injection flaw in the SMA1000 Appliance Management Console. On its own it requires an authenticated administrator session, which normally limits its blast radius.

The two aren’t being exploited independently — SonicWall and multiple incident responders report attackers chaining them: CVE-2026-15409’s SSRF is used to reach and manipulate the management console context, effectively satisfying the “authenticated” precondition for CVE-2026-15410, which is then used to inject and execute arbitrary OS commands. The end result is unauthenticated remote code execution with administrative privileges on the appliance — full compromise from the internet with no credentials required.

Affected products: SMA6210, SMA7210, and SMA8200v appliances running the SMA1000 series firmware. SMA100-series (SMA 210/410/500v) devices are a separate product line and not implicated in this advisory.

Impact

Any organization running SMA1000 for remote-access VPN is exposed to full appliance takeover from the public internet. Because SMA1000 appliances broker access into internal networks, a compromised appliance is a ready-made pivot point — attackers can harvest VPN session tokens, intercept credentials, and use the appliance’s trusted position to reach further into the internal network. This pattern (edge VPN/SSL-gateway compromise as the initial-access vector) has been the dominant entry point for ransomware affiliates over the past two years, and SonicWall gear specifically has been targeted by Akira and other ransomware crews in prior incidents.

Mitigation

  • Update to hotfix 12.4.3-03453 or 12.5.0-02835, available through SonicWall Support. SonicWall is distributing these as direct hotfixes rather than a standard firmware release — contact support if the update isn’t visible through normal channels.
  • Federal agencies must remediate under Binding Operational Directive (BOD) 26-04 by July 17, 2026, or disconnect the affected appliances if patching isn’t possible in time.
  • Review SMA1000 access and admin console logs for anomalous requests originating from the Appliance Work Place interface, and for admin-console activity you can’t attribute to known operators.
  • Treat any SMA1000 appliance that was internet-facing and unpatched in the days prior to the hotfix as potentially compromised — rotate credentials and VPN session secrets, and inspect for persistence mechanisms rather than assuming the patch alone remediates an already-exploited box.
  • Restrict management console access to trusted internal ranges where the deployment allows it; the Work Place interface used for the SSRF is typically the externally-facing component and can’t simply be firewalled off without breaking VPN functionality.

References