Bg ShapeBg Shape
THREAT INTELLIGENCE

Zero Day Vulnerabilities in SonicWall SMA1000

Affected Environment

SonicWall SMA1000 appliance models 6210, 7210, and 8200v running firmware versions 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. These vulnerabilities do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line.

Threat Overview

SonicWall disclosed two vulnerabilities in the SMA1000 appliance series that are currently being actively exploited in the wild. CVE-2026-15409 (CVSS 10.0) is a Server-Side Request Forgery vulnerability in the Appliance Work Place interface that allows a remote unauthenticated attacker to force the appliance to make requests to unintended internal or external locations. CVE-2026-15410 (CVSS 7.2) is a post-authentication code injection vulnerability in the Appliance Management Console that, under specific conditions, allows a remote authenticated administrator to execute arbitrary operating system commands. Both vulnerabilities are confirmed as zero-days, having been exploited before patches were available.

Exposure Timeline

Advisory published 15 July 2026. Active exploitation confirmed in the wild for both CVEs prior to patch availability. Fixed firmware versions are available now. Given the confirmed zero-day status and CVSS 10.0 severity of CVE-2026-15409, organisations should treat this as an emergency response and apply the hotfix immediately rather than following the standard ten-working-day window.

Attack Surface

CVE-2026-15409 is exploitable by any unauthenticated attacker with network access to the SMA1000 Appliance Work Place interface. CVE-2026-15410 requires authenticated administrator access to the Appliance Management Console but is exploitable remotely. Any internet-exposed SMA1000 appliance running affected firmware should be considered at immediate risk.

Operational Impact

CVE-2026-15409 allows an unauthenticated attacker to weaponise the SMA1000 appliance as a request proxy, forcing it to make connections to internal infrastructure, cloud metadata services, or external attacker-controlled systems. This can be used for internal network reconnaissance, credential theft from cloud environments, and exfiltration of sensitive data. CVE-2026-15410 allows a compromised or malicious administrator account to execute arbitrary OS commands on the appliance itself, potentially enabling full device takeover, configuration manipulation, credential extraction, and persistent backdoor installation. SonicWall has provided specific Indicators of Compromise that organisations should check immediately.

Strategic Impact

Risk is rated Critical for large and medium government and business entities, and High for small entities. SMA1000 appliances are used as remote access gateways in enterprise environments, placing them at the network boundary and making them high-value targets. Confirmed zero-day exploitation prior to patching means some organisations may already be compromised. The CVSS 10.0 score for CVE-2026-15409 reflects the maximum possible severity: unauthenticated, remotely exploitable, with critical impact.

Required Mitigation

Apply the following hotfix firmware versions immediately:

Firmware 12.4.3 branch: Upgrade to 12.4.3-03453 or higher.

Firmware 12.5.0 branch: Upgrade to 12.5.0-02835 or higher.

Before patching, check for the following Indicators of Compromise in appliance logs: requests to /__api__/login or /__api__/logout with HTTP 200 status in extraweb_access.log; requests to /wsproxy with suspicious host parameters returning HTTP 101 status; hotfix rollbacks with path traversal names in ctrl-service.log; routes for /__api__/login or /__api__/logout present in /var/lib/unit/conf.json (these URIs do not exist in legitimate configuration). If any IOCs are confirmed, re-image hardware appliances or re-deploy virtual appliances, change all user and administrator passwords, and reset all TOTP tokens.

Incident Response Guidance

Treat any SMA1000 appliance running affected firmware as potentially compromised until IOC review is complete. Preserve appliance logs before applying the firmware update. Filter network traffic to restrict access to the Appliance Work Place and Management Console interfaces to known and trusted IP ranges. Conduct automated vulnerability scans of all externally-exposed assets. Enable anti-exploitation features where supported and review all administrator accounts for unauthorised additions or modifications.

References

SonicWall PSIRT Advisory: psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008. CVEs: CVE-2026-15409, CVE-2026-15410.

Download the Full Report

Explore More of the Latest Threat Intelligence

Trusted by clients worldwide

Logo
Logo
Logo
Logo
Logo
Logo

Your 24/7 Security Partner

Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.

Awards Image
Awards Image
Awards Image
Awards Image
Awards Image
Awards Image