ZERO-DAY EXPLOITATION

Two SonicWall SMA 1000 Zero-Days Under Active Attack, One Rated CVSS 10.0

SonicWall confirmed active exploitation of two zero-days in SMA 1000 series appliances, including a CVSS 10.0 unauthenticated SSRF and a post-auth code injection flaw that yields admin-level command execution.

Matt Lucas  |  July 15, 2026  |  5 min
Editorial hero illustration
CVEs in this postCVE-2026-15409CVE-2026-15410Live detections →All RedEye CVEs →
10.0
2
Zero-days exploited
Jul 17
CISA KEV deadline
Admin
Command exec impact
TL;DR
  • What: SonicWall confirmed active exploitation of two SMA 1000 zero-days: a CVSS 10.0 unauthenticated SSRF (CVE-2026-15409) and a post-auth code injection (CVE-2026-15410) that runs OS commands as administrator.
  • Impact: Chained, the flaws let attackers reach the appliance management console and execute arbitrary admin-level commands on internet-facing remote-access gateways.
  • Fix / mitigation: Upgrade to 12.4.3-03453 (platform-hotfix) or 12.5.0-02835 (platform-hotfix) or higher; CISA requires FCEB agencies to patch by July 17, 2026.
  • Who's at risk: Any organization running SonicWall SMA 1000 series appliances for secure remote access is at risk.

SonicWall has confirmed that attackers are actively exploiting two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances, and one of them scores a perfect CVSS 10.0. These are internet-facing remote-access gateways, so a compromise puts an attacker directly on the edge of the corporate network. SonicWall says it investigated multiple cases of in-the-wild exploitation before disclosing.

CISA has already added both CVEs to its Known Exploited Vulnerabilities catalog and set a hard patch deadline of July 17, 2026 for Federal Civilian Executive Branch agencies. That is a two-day window from disclosure, which signals how seriously the government is treating this. Private-sector teams should treat the same date as their own deadline.

The two flaws

Individually, an SSRF and a post-auth bug are moderate concerns. Chained, they are not. The unauthenticated SSRF gives an attacker a foothold to reach the AMC, and the code injection then converts that access into administrator-level command execution on the box. That is full control of a device that terminates VPN and remote-access sessions for the whole organization.

Patched versions

Fixes are available now. Upgrade to one of the following builds or higher:

Patching is not enough if you were already hit

SonicWall confirmed active exploitation, so assume compromise is possible until you prove otherwise. If any indicator of compromise is present, re-image physical appliances or redeploy virtual appliances, change all user and administrator passwords, and reset time-based one-time password (TOTP) tokens. A patched-but-compromised appliance leaves the attacker's access intact.

Indicators of compromise

SonicWall published specific log and configuration artifacts to hunt for. Volexity researchers Sean Koessel and Steven Adair are credited with helping identify an additional indicator. Check for the following:

Why the /__api__ routes matter

The /__api__/login and /__api__/logout endpoints are not part of a valid SMA 1000 configuration. If they show up in your access logs with 200 responses or as routes in conf.json, an attacker has added them. This is one of the cleanest yes/no indicators in the advisory - do not skip the conf.json check even if the logs look clean.

What to do now

SMA 1000 appliances have a long history as high-value targets because they sit at the network edge and broker trusted access. Move on this today: patch to a fixed build, run the full IoC hunt against your logs and conf.json, and if anything matches, re-image rather than clean. Credit for discovery goes to SonicWall PSIRT's Adam Babis, with Volexity assisting the investigation. Given confirmed exploitation and a CVSS 10.0 in the mix, treat any exposed, unpatched SMA 1000 as a live incident until verified clean.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us