Skip to main content
Emerging Threats

SonicWall Disrupts Zero-Day Attacks with Urgent Patch for SMA1000 Flaws

Network equipment and security appliance in a secure facility setup.

"SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory," SonicWall warned.

CVE-2026-15409 and CVE-2026-15410 — the flaws, their scores, and exploitation

SonicWall has disclosed two vulnerabilities in the SMA1000 line that it says are being actively exploited in zero-day attacks. CVE-2026-15409 is a server-side request forgery (SSRF) flaw in the SMA1000 Appliance Work Place interface rated critical with a CVSS of 10.0 and allows a remote, unauthenticated attacker to force an appliance to make requests to unintended locations. CVE-2026-15410 is a post-authentication code‑injection vulnerability in the SMA1000 Appliance Management Console, given a high severity score of 7.2, which could permit a remote authenticated administrator to execute arbitrary operating system commands.

Despite CVE-2026-15410 requiring administrator privileges, SonicWall assigned the overall advisory an overall CVSS score of 10.0 and confirmed multiple incidents in which both vulnerabilities are being actively exploited.

Affected models, fixed releases, and what is not affected

The company identified the affected hardware and platform-hotfix releases precisely: SMA1000 models 6210, 7210, and 8200v running platform-hotfix releases 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. SonicWall provided fixes in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, and later releases.

SonicWall also clarified scope: the vulnerabilities do not impact SSL‑VPN running on SonicWall firewalls or the SMA 100 Series product line.

Indicators of compromise and recommended immediate actions

SonicWall published specific indicators of compromise (IOCs) administrators can use to detect possible compromise. Administrators should look for:

  • Requests to /__api__/login or /__api__/logout with HTTP 200 status appearing in extraweb_access.log
  • Requests to /wsproxy with suspicious host parameters returning HTTP 101 status appearing in extraweb_access.log
  • Mentions of hotfix rollbacks with path traversal names in ctrl-service.log
  • Presence of routes for /__api__/login or /__api__/logout in /var/lib/unit/conf.json (these URIs do not exist in legitimate configuration)

SonicWall strongly recommends upgrading to the latest hotfix release as soon as possible and performing an analysis to determine whether any of the above IOCs are present. If a device is found to be compromised, the company advises administrators to re-image physical appliances or redeploy virtual appliances, change all user and administrator passwords, and reset TOTP tokens. SonicWall further notes there are no workarounds or mitigations other than installing the hotfixes.

CISA listing and the federal compliance deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities (KEV) catalog, a move that CISA describes as confirmation these vulnerabilities are being actively exploited in attacks. Under Binding Operational Directive (BOD) 26-04, federal agencies have until July 17, 2026, to secure affected systems or discontinue use of the product if mitigations cannot be applied.

What this means for administrators, procurement leads, and incident responders

Administrators and incident responders: SonicWall's published IOCs give a concrete checklist for triage — search the named logs and the /var/lib/unit/conf.json file, prioritize upgrades to platform-hotfix releases 12.4.3-03453 or 12.5.0-02835 (or later), and prepare re-imaging and credential resets if compromise is confirmed.

Procurement and enterprise risk teams: affected SMA1000 models and exact platform-hotfix versions are listed; organizations should inventory deployed appliances against those version strings and schedule immediate patching or decommissioning where fixes cannot be applied before the CISA deadline.

SonicWall has not disclosed whether attackers are chaining the two vulnerabilities together; BleepingComputer has contacted SonicWall for clarification and said it will update the reporting if a response is received. In the meantime, the vendor's stance is unambiguous: install the hotfixes now, hunt for the supplied IOCs, and treat compromised devices as candidates for full rebuild and credential rotation.

Original story