SonicWall warns of two SMA 1000 zero-days exploited in the wild (CVE-2026-15409, CVE-2026-15410)
SonicWall issued an urgent advisory after attackers were caught chaining two zero-day flaws in its SMA 1000 secure remote-access appliances — an unauthenticated SSRF rated CVSS 10.0 and a post-authentication command-injection bug — with Rapid7 having observed the pair exploited in tandem against internet-facing devices before any patch existed.
- Victim
- SonicWall SMA 1000
On 14 July 2026, SonicWall — the Milpitas, California network-security vendor — issued an urgent advisory warning that two previously unknown vulnerabilities in its SMA 1000 series secure remote-access appliances were being actively exploited as zero-days. The alert followed a report from Rapid7's Managed Detection and Response team, which said it had observed active, targeted exploitation of internet-facing SMA 1000 appliances — with the two flaws used in tandem — before SonicWall had a fix available.
The two bugs complement each other. CVE-2026-15409 is a server-side request forgery (SSRF) flaw in the appliance's Work Place interface, rated a maximum CVSS 10.0, that a remote, unauthenticated attacker can use to coerce the appliance into making requests to unintended destinations. CVE-2026-15410 is a post-authentication code-injection flaw in the Appliance Management Console (AMC), rated CVSS 7.2, that lets a remote authenticated attacker execute arbitrary operating-system commands as administrator under certain conditions. Chained together, they hand an attacker a path from unauthenticated network access toward administrative command execution on the gateway that fronts an organisation's remote workforce.
Affected products and patches
The flaws affect SonicWall's SMA 6210, SMA 7210 and SMA 8200v appliances. SonicWall shipped fixes in platform-hotfix builds 12.4.3-03453 and 12.5.0-02835 (and higher), urging customers to update immediately and to review appliance logs for signs of compromise. The company's separately maintained SMA 100 series and its firewall lines were not listed as affected by this advisory.
Regulatory response
The same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to remediate — or discontinue use of the affected appliances — by 17 July 2026 under Binding Operational Directive 26-04. As internet-facing VPN gateways, SMA appliances are a recurring target for intrusion crews because a foothold on the device sits directly on the boundary between the public internet and an organisation's internal network. With exploitation confirmed in the wild and no public attribution to a named actor at the time of disclosure, the situation remained ongoing and defenders were urged to patch without waiting for a maintenance window.
Timeline
Rapid7's Managed Detection and Response team reports having observed active, targeted zero-day exploitation of internet-facing SMA 1000 appliances, with the two flaws used in tandem, prior to any public disclosure.
SonicWall publishes an urgent product notice for CVE-2026-15409 and CVE-2026-15410, confirming active exploitation and releasing hotfix builds 12.4.3-03453 and 12.5.0-02835.
CISA adds both CVEs to its Known Exploited Vulnerabilities catalog, giving federal civilian agencies until 17 July 2026 to remediate or discontinue use under Binding Operational Directive 26-04.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-flaws-exploited-in-zero-day-attacks-patch-now/
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/07/14/sonicwall-sma-attacks-via-cve-2026-15409-cve-2026-15410/
- securityweek.comhttps://www.securityweek.com/sonicwall-issues-urgent-sma-patch-warning-for-two-zero-day-exploits/
- rapid7.comhttps://www.rapid7.com/blog/post/etr-rapid7-mdr-team-discovers-new-sonicwall-sma1000-zero-days-being-actively-exploited-cve-2026-15409-cve-2026-15410/
- thehackernews.comhttps://thehackernews.com/2026/07/two-sonicwall-sma-1000-zero-days.html
- cisa.govhttps://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog