The flaws: CVE-2026-15409 and CVE-2026-15410
SonicWall publicly disclosed two zero-day vulnerabilities — CVE-2026-15409 and CVE-2026-15410 — in a security advisory this week. The vendor credited an employee with discovering the defects and released a software update upon disclosure. SonicWall said the vulnerabilities affect SMA1000 appliances and described one defect as a max-severity issue that allows attackers to make authenticated requests and the other as a 7.2-rated vulnerability that permits authenticated command injection.
How attackers chain the vulnerabilities
SonicWall confirmed both vulnerabilities have been chained together in observed attacks. Landon Rice, senior exploit developer at VulnCheck, summarized the risk: “When these two are chained, an attacker can go from zero access to a complete system compromise for the affected appliance.” That chaining creates a plausible path from internet-facing access to full compromise of the appliance when an attacker can exploit both flaws in sequence.
Rapid7's findings and observed activity
Rapid7 researchers told CyberScoop that both vulnerabilities were first exploited on June 22. Rapid7’s team observed overlapping tactics, techniques and procedures that indicate a single threat group or attacker discovered and exploited the zero-days, according to Seth Lazarus. The firm said its responders have blocked exfiltration and encryption in cases they observed, leaving ransomware as the likely goal.
SonicWall's response, mitigation steps, and visibility
SonicWall released an updated software version when it disclosed the defects and encouraged customers to patch by upgrading to that version. Bret Fitzgerald, senior director of global communications at SonicWall, said “Speed of response was a priority for us,” and that within days the company had developed a script it can run on behalf of affected customers to assist with resolution. The vendor also shared indicators of compromise to help customers hunt for malicious activity and said support staff are assisting customers working through suspicious activity, warning that “patching alone is not sufficient.”
SonicWall disclosed some scale information: the company monitors about one million sensors globally, and “SMA1000 appliances represent a very small subset of that footprint, less than 5,000 units.” The vendor told CyberScoop it has investigated multiple cases of active exploitation but did not specify how many customers were impacted. The Cybersecurity and Infrastructure Security Agency added both zero-days to its known exploited vulnerabilities catalog on Tuesday.
What this means for SonicWall customers, Rapid7 and watchTowr, and CISA
- SonicWall customers and security teams: SonicWall provided an upgraded software release and an on-demand script run option, plus indicators of compromise, and warned that remediation may require more than just patching. The company said its support staff are helping customers investigate suspicious activity.
- Rapid7 and incident responders: Rapid7 reported first exploitation on June 22, observed correlated attack behavior suggesting a single actor or group, and said responders have so far prevented data exfiltration and encryption in observed cases — but the firm characterized ransomware as the likely objective.
- watchTowr and independent researchers: Ben Harris, founder and CEO at watchTowr, highlighted two aggravating characteristics — the vulnerabilities were exploited as zero-days before fixes were available, and together they provide a plausible path to remote-code execution from the internet — and said that when exploitation is confirmed “patching is the bare minimum, and breach should be assumed.”
- CISA and federal tracking: CISA added both CVE-2026-15409 and CVE-2026-15410 to its known exploited vulnerabilities catalog on Tuesday, joining a sequence of prior SonicWall-related entries; the vendor has had 17 defects added to CISA’s catalog since late 2021, ten of which CISA says are known to be used in ransomware campaigns.
The new disclosures arrive against a backdrop of prior, high-impact incidents involving SonicWall. In 2025, an undisclosed state-sponsored threat actor intruded the company’s cloud environment and stole firewall configurations of every SonicWall customer, the vendor has previously acknowledged. CISA notes that ten of the vendor’s cataloged defects have been used in ransomware campaigns, “including a wave of about 40 Akira ransomware attacks between mid-July and early August.”
Speedy patching and coordinated incident response are now central to containment: SonicWall released fixes and assistance scripts upon disclosure, third-party researchers reported exploitation beginning June 22, and federal authorities have cataloged the flaws. But the record assembled so far — chained zero-days exploited in the wild, observed attempts that Rapid7 ties to likely ransomware goals, and a history of high-impact intrusions — supports the cautious posture voiced by outside researchers that patching is a baseline, not a full remedy. As Ben Harris put it, when exploitation is confirmed, “breach should be assumed.”




