- What: SonicWall confirmed active exploitation of two SMA 1000 zero-days: a CVSS 10.0 unauthenticated SSRF (CVE-2026-15409) and a post-auth code injection (CVE-2026-15410) that runs OS commands as administrator.
- Impact: Chained, the flaws let attackers reach the appliance management console and execute arbitrary admin-level commands on internet-facing remote-access gateways.
- Fix / mitigation: Upgrade to 12.4.3-03453 (platform-hotfix) or 12.5.0-02835 (platform-hotfix) or higher; CISA requires FCEB agencies to patch by July 17, 2026.
- Who's at risk: Any organization running SonicWall SMA 1000 series appliances for secure remote access is at risk.
SonicWall has confirmed that attackers are actively exploiting two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances, and one of them scores a perfect CVSS 10.0. These are internet-facing remote-access gateways, so a compromise puts an attacker directly on the edge of the corporate network. SonicWall says it investigated multiple cases of in-the-wild exploitation before disclosing.
CISA has already added both CVEs to its Known Exploited Vulnerabilities catalog and set a hard patch deadline of July 17, 2026 for Federal Civilian Executive Branch agencies. That is a two-day window from disclosure, which signals how seriously the government is treating this. Private-sector teams should treat the same date as their own deadline.
The two flaws
- CVE-2026-15409 (CVSS 10.0) - a server-side request forgery (SSRF) flaw exploitable by a remote, unauthenticated attacker. It can force the appliance to make requests to an unintended location, the classic first link in a chain to reach internal services or the management plane.
- CVE-2026-15410 (CVSS 7.2) - a post-authentication code injection flaw in the Appliance Management Console (AMC). A remote authenticated attacker can execute arbitrary operating system commands as administrator under certain conditions.
Individually, an SSRF and a post-auth bug are moderate concerns. Chained, they are not. The unauthenticated SSRF gives an attacker a foothold to reach the AMC, and the code injection then converts that access into administrator-level command execution on the box. That is full control of a device that terminates VPN and remote-access sessions for the whole organization.
Patched versions
Fixes are available now. Upgrade to one of the following builds or higher:
- 12.4.3-03453 (platform-hotfix) and higher
- 12.5.0-02835 (platform-hotfix) and higher
SonicWall confirmed active exploitation, so assume compromise is possible until you prove otherwise. If any indicator of compromise is present, re-image physical appliances or redeploy virtual appliances, change all user and administrator passwords, and reset time-based one-time password (TOTP) tokens. A patched-but-compromised appliance leaves the attacker's access intact.
Indicators of compromise
SonicWall published specific log and configuration artifacts to hunt for. Volexity researchers Sean Koessel and Steven Adair are credited with helping identify an additional indicator. Check for the following:
- In extraweb_access.log: requests to /__api__/login or /__api__/logout returning HTTP 200.
- In extraweb_access.log: requests to /wsproxy with suspicious host parameters returning HTTP 101.
- In ctrl-service.log: hotfix rollbacks with path-traversal-style names.
- In /var/lib/unit/conf.json: routes for /__api__/login or /__api__/logout - these URIs do not exist in any legitimate configuration, so their presence is a strong signal of tampering.
The /__api__/login and /__api__/logout endpoints are not part of a valid SMA 1000 configuration. If they show up in your access logs with 200 responses or as routes in conf.json, an attacker has added them. This is one of the cleanest yes/no indicators in the advisory - do not skip the conf.json check even if the logs look clean.
What to do now
SMA 1000 appliances have a long history as high-value targets because they sit at the network edge and broker trusted access. Move on this today: patch to a fixed build, run the full IoC hunt against your logs and conf.json, and if anything matches, re-image rather than clean. Credit for discovery goes to SonicWall PSIRT's Adam Babis, with Volexity assisting the investigation. Given confirmed exploitation and a CVSS 10.0 in the mix, treat any exposed, unpatched SMA 1000 as a live incident until verified clean.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us