SonicWall confirmed on July 14–15, 2026, that two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 appliances are being actively exploited in the wild. CVE-2026-15409 is a CVSS 10.0 server-side request forgery (SSRF) flaw that lets any unauthenticated attacker manipulate the appliance into making arbitrary network requests; CVE-2026-15410 is a post-authentication code injection flaw in the Appliance Management Console (AMC) that can allow a remote authenticated administrator to execute arbitrary OS commands. CISA added both to its Known Exploited Vulnerabilities catalog on July 14, 2026, with a federal patch deadline of July 17, 2026. Patches are available now — there are no workarounds.

What the Vulnerabilities Are

CVE-2026-15409 — SSRF in SMA1000 Work Place Interface (CVSS 10.0)

The SMA 1000 Appliance Work Place web interface fails to validate the destination of outbound requests it makes on behalf of clients. A remote, unauthenticated attacker can craft a specially formed request that causes the appliance to reach out to an attacker-controlled location — or to internal network resources behind the appliance — leaking session data, performing internal network reconnaissance, or bypassing perimeter controls. No credentials of any kind are needed to exploit this flaw.

CVE-2026-15410 — Code Injection in Appliance Management Console (CVSS 7.2)

The AMC, the administrative web interface for the SMA 1000 series, does not adequately sanitize input passed to operating system calls. An authenticated attacker with administrator-level access can inject OS commands that execute as the appliance’s service account. Although administrative credentials are a prerequisite, SonicWall PSIRT’s advisory notes the overall severity of the combined advisory is rated CVSS 10.0. SonicWall has not disclosed whether attackers are chaining both CVEs together, but the combination — using the SSRF to gather credentials or pivot, then the AMC code injection to execute commands — is a natural attack chain.

Volexity researchers Sean Koessel and Steven Adair assisted SonicWall’s internal investigation and helped identify an additional indicator of compromise.

Why It Matters

  • Actively exploited. SonicWall has confirmed it “investigated multiple cases indicating active exploitation” — these are not theoretical risks.
  • No credentials required for the most critical flaw. CVE-2026-15409 can be triggered by any internet-visible attacker with access to the Work Place web interface.
  • SMA 1000 is a remote access gateway. These appliances sit at the network edge, authenticating users and brokering access to internal web applications and servers. Compromise of the appliance often equals full access to everything it protects.
  • Prior SonicWall devices have been prime ransomware targets. SonicWall SSL-VPN and SMA appliances have been repeatedly leveraged by ransomware and espionage actors (CISA has issued multiple alerts on this product line in past years).
  • CISA KEV. Federal agencies must patch by July 17, 2026 — a two-day window reflecting the urgency.
  • No mitigations exist. Patching is the only fix; SonicWall explicitly states there are no workarounds.

Am I Affected?

You are affected if all of the following apply:

  1. You are running SonicWall SMA 1000 appliances — specifically models 6210, 7210, or 8200v.
  2. Your firmware is one of these platform-hotfix versions: 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, or 12.5.0-02800.

You are not affected if:

  • You are running SonicWall SSL-VPN on a SonicWall firewall (separate product).
  • You are running SonicWall SMA 100 Series appliances (separate product line).
  • You have already upgraded to platform-hotfix 12.4.3-03453 or 12.5.0-02835 or later.

What to Do About It: Step-by-Step

1. Identify your appliance and firmware version

Log in to your SMA 1000 and check the installed platform-hotfix version. Compare against the affected version list above.

2. Apply the patch immediately

Upgrade to one of the following hotfix releases:

  • 12.4.x branch: 12.4.3-03453 (or later)
  • 12.5.x branch: 12.5.0-02835 (or later)

Download from SonicWall’s support portal at https://www.sonicwall.com/support/downloads/ and follow your standard appliance upgrade procedure.

3. Check for indicators of compromise BEFORE bringing the appliance back online

SonicWall has provided the following IOCs — check all four:

# 1. Look for unusual auth API calls in the external web access log
grep -E "/__api__/(login|logout)" /var/log/extraweb_access.log | grep " 200 "

# 2. Look for suspicious wsproxy host parameters (WebSocket proxy abuse)
grep "/wsproxy" /var/log/extraweb_access.log | grep " 101 "

# 3. Look for hotfix rollback attempts using path traversal in ctrl-service log
grep "hotfix rollback" /var/log/ctrl-service.log | grep "\.\."

# 4. Check the NGINX unit config for illegitimate routes injected by attacker
cat /var/lib/unit/conf.json | grep -E "/__api__/(login|logout)"

Routes for /__api__/login or /__api__/logout in conf.json do not exist in legitimate configurations — their presence is a strong compromise indicator.

4. If compromise is confirmed

  • Physical appliances: Re-image from clean media.
  • Virtual appliances: Redeploy from a clean snapshot or template.
  • Credentials: Change ALL user and administrator passwords for the appliance.
  • MFA tokens: Reset all TOTP (time-based one-time password) tokens.
  • Incident response: Assume lateral movement may have occurred. Audit internal access logs for unusual activity from systems that authenticate through this appliance.

5. Review internet exposure

Even after patching, audit whether your SMA 1000 Work Place interface is directly exposed to the public internet. Restricting access to known IP ranges or placing the admin console (AMC) behind a jump host reduces future attack surface significantly.

Quick-Win Checklist

  • Confirm appliance model (6210, 7210, or 8200v) and current firmware version
  • Download and apply platform-hotfix 12.4.3-03453 or 12.5.0-02835 (depending on branch)
  • Run the four IOC checks above before resuming production traffic
  • Re-image or redeploy if any IOC is positive
  • Reset all admin and user passwords + TOTP tokens
  • Verify the SMA 1000 Work Place interface is not unnecessarily exposed to the open internet
  • Confirm your SSL-VPN firewalls and SMA 100 Series appliances are separate and unaffected
  • File a ticket with SonicWall support if investigation evidence suggests compromise

Sources