Skip to main content
Emerging Threats

SonicWall Zero-Days Exploited, Enable Admin Command Execution

Network equipment room with racked device, cables, and blurred management console.

"SonicWall has investigated multiple cases indicating the active exploitation of the vulnerabilities," the company said, urging immediate fixes.

Two zero-days in SonicWall SMA 1000 appliances

SonicWall has warned that two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances are being actively exploited. The flaws are cataloged as CVE-2026-15409 and CVE-2026-15410. SonicWall reported that one of the vulnerabilities could allow an attacker to execute arbitrary operating system commands as an administrator under certain conditions.

Technical details: SSRF and post-auth code injection

The two issues differ in capability and severity. CVE-2026-15409, scored 10.0 on the CVSS scale, is a server-side request forgery (SSRF) vulnerability. SonicWall described it as allowing a remote, unauthenticated attacker to potentially cause the appliance to make requests to an unintended location. The second, CVE-2026-15410, scored 7.2, is a post-authentication code injection vulnerability rooted in the Appliance Management Console (AMC); SonicWall said a remote, authenticated attacker could exploit it to execute arbitrary operating system commands as administrator under certain conditions.

Patches released and mandated deadline for federal agencies

SonicWall published platform hotfixes and instructed customers to apply them as soon as possible. The fixes are included in these builds and any higher version:

  • 12.4.3-03453 (platform-hotfix) and higher
  • 12.5.0-02835 (platform-hotfix) and higher

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities (KEV) catalog and required Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 17, 2026.

Indicators of compromise and recommended recovery steps

SonicWall published specific indicators of compromise (IoCs) for customers to search for during forensic review. Administrators are urged to inspect logs and configuration files for these artefacts:

  • extraweb_access.log entries showing requests to /__api__/login or /__api__/logout with HTTP 200 status
  • extraweb_access.log entries showing requests to /wsproxy with suspicious host parameters with HTTP 101 status
  • ctrl-service.log entries mentioning hotfix rollbacks with path traversal names
  • /var/lib/unit/conf.json containing routes for /__api__/login or /__api__/logout (SonicWall notes these URIs do not exist in legitimate configuration)

If any of these indicators are present, SonicWall advised organizations to re-image physical appliances or redeploy virtual appliances, change user and administrator passwords, and reset time-based one-time password (TOTP) tokens.

Who discovered the flaws and outside contributions

SonicWall credited Adam Babis of its product security incident response team (PSIRT) with discovering and reporting the vulnerabilities. The company also acknowledged contributions from Volexity researchers Sean Koessel and Steven Adair, who assisted the internal investigation and helped identify an additional IoC.

What this means for FCEB agencies, system administrators, and incident responders

  • Federal Civilian Executive Branch agencies: CISA's inclusion of the two CVEs in the KEV catalog imposes a mandatory remediation deadline — agencies must apply the available hotfixes by July 17, 2026.
  • System administrators and SonicWall customers: Organizations running SMA 1000 series appliances should verify platform versions and apply the platform-hotfix builds 12.4.3-03453 or 12.5.0-02835 (or later) immediately, and perform the forensic checks SonicWall published for the listed IoCs.
  • Incident responders: If IoCs are detected, responders should follow the recovery path SonicWall recommended — re-image or redeploy affected appliances, rotate user and admin credentials, and reset TOTP tokens — and document any evidence for follow-up investigation.

The combination of an unauthenticated SSRF with a separate post-authentication code-injection path and active exploitation raised the urgency of SonicWall's advisory. Organizations that operate SMA 1000 series appliances must check versions, scan logs for the cited IoCs, and apply the vendor patches immediately. For those in the federal civilian space, the CISA KEV listing sets a hard compliance date of July 17, 2026.

Original reporting: https://thehackernews.com/2026/07/two-sonicwall-sma-1000-zero-days.html