SonicWall SMA1000: Two Zero-Days Under Active Exploitation With CVSS 10.0 — CISA Orders Patch by July 17 or Disconnect
Eric Serrano Bustos
On 14 July 2026, SonicWall published a maximum-urgency security advisory confirming that two zero-day vulnerabilities in the SMA1000 series — its enterprise secure remote access appliance line — are being actively exploited in multiple real-world incidents. Hours earlier, Rapid7’s Managed Detection and Response (MDR) team had observed targeted attacks against internet-facing SMA1000 appliances, before SonicWall even published its official disclosure. CISA responded by adding both CVEs to its Known Exploited Vulnerabilities (KEV) catalog and, under Binding Operational Directive BOD 26-04, has set a deadline of tomorrow, 17 July 2026 for federal agencies to secure affected systems or discontinue use if the fix cannot be applied. No workaround or alternative mitigation exists: only the patch closes the hole. Hotfix versions are available on mysonicwall.com.
What do we know about CVE-2026-15409 and CVE-2026-15410 in SonicWall SMA1000?
Facts documented by SonicWall PSIRT, Rapid7, BleepingComputer, The Hacker News, SecurityWeek, Help Net Security and Hispasec:
CVE-2026-15409 (CVSS 10.0) — Unauthenticated SSRF in the Appliance Work Place interface: a remote attacker without credentials can send a specially crafted request to the Work Place interface — the remote access portal employees use from the internet — and force the appliance to open a WebSocket tunnel to internal services that should only be accessible from localhost. This allows reaching the Appliance Management Console (AMC) without any credentials.
CVE-2026-15410 (CVSS 7.2) — Post-authentication code injection in the AMC: an attacker with authenticated administrator access to the AMC can exploit a code injection flaw (CWE-94) to execute arbitrary operating system commands with administrator privileges. The CVE requires authentication, but when chained with CVE-2026-15409, that authentication requirement is bypassed.
The attack chain: both CVEs are used in tandem. The unauthenticated attacker uses CVE-2026-15409 to open a WebSocket tunnel to port 8188 on localhost, where the AMC listens. From there, the appliance acts as an authenticated requestor to the AMC, bypassing CVE-2026-15410’s authentication requirement. The result is operating system command execution as root, without any credentials, from the internet.
Affected models: SonicWall SMA 6210, SMA 7210 and SMA 8200v running any platform-hotfix version prior to 12.4.3-03453 or 12.5.0-02835. Not affected: SSL VPN functionality on SonicWall firewalls and the SMA 100 Series product line, which are different products with different architectures.
No workaround possible: SonicWall confirms no alternative mitigation exists. Firewall rules restricting access to the Work Place interface reduce the attack surface but do not constitute a complete mitigation: any attacker who reaches the portal can exploit the full chain.
Hotfixes available since July 14: 12.4.3-03453 (for the 12.4.3 branch) and 12.5.0-02835 (for the 12.5.0 branch), downloadable from mysonicwall.com.
Rapid7 MDR detected exploitation before the official disclosure: the Rapid7 MDR team observed active targeted attacks against internet-facing SMA1000 appliances before SonicWall published its advisory. This confirms threat actors had the exploit technique before a patch was available.
CISA KEV and Binding Operational Directive BOD 26-04: CISA added CVE-2026-15409 and CVE-2026-15410 to the KEV catalog on July 14-15 and invoked BOD 26-04, requiring all U.S. Federal Civilian Executive Branch agencies to patch or disconnect affected systems by July 17, 2026. This type of 48-hour deadline is reserved for vulnerabilities with evidence of active exploitation against high-value targets.
SonicWall’s history in CISA’s KEV catalog: the catalog now includes 17 vulnerabilities affecting SonicWall products. This is not an isolated case: threat actors systematically invest in finding flaws in perimeter remote access appliances because compromising one provides an entry point into the entire corporate network.
Why remote access appliances are the most-attacked perimeter target in 2026
They are the legitimate gateway into the network: compromising one is equivalent to compromising the perimeter. SMA1000 appliances manage remote access for employees, contractors and administrators. An attacker who compromises them inherits that trusted position: they can pivot to the internal network, intercept VPN credentials in transit, and access the systems legitimate users are entitled to reach.
The unauthenticated SSRF eliminates the need for prior credentials. CVE-2026-15409 removes that barrier: any attacker who can reach the Work Place interface from the internet can initiate the full exploitation chain without credentials.
The pattern is systematic and repeats across all major perimeter vendors. The Apolo blog has documented during June and July 2026 the same pattern in Palo Alto (CVE-2026-0257), Check Point (CVE-2026-50751), Cisco SD-WAN (CVE-2026-20262, its sixth exploited CVE in four months), FortiBleed (86,644 Fortinet firewalls with compromised credentials), and now SonicWall SMA1000.
How the CVE-2026-15409 and CVE-2026-15410 chained exploitation works
The attacker identifies an internet-facing SMA1000 appliance via automated scanning.
They send a crafted request to the Work Place interface exploiting CVE-2026-15409, steering the appliance to open a WebSocket tunnel toward port 8188 on localhost.
The appliance acts as an authenticated proxy to the AMC; CVE-2026-15410’s authentication requirement is bypassed.
The attacker exploits CVE-2026-15410 through the tunnel using a malicious path traversal-based remove_hotfix workflow to inject OS commands executed as root.
Root access obtained: the attacker can intercept VPN credentials, install persistent backdoors, pivot to the internal network or use the appliance as a launching point for further attacks.
Key lessons and immediate actions for organisations with SMA1000
Action 1 — Patch immediately (no alternative exists):
Update to 12.4.3-03453 or 12.5.0-02835 from mysonicwall.com. If the patch cannot be applied immediately, consider temporary disconnection of the appliance from the internet while preparing maintenance.
The urgency deadline is not limited to federal agencies: confirmed active exploitation means any unpatched internet-facing SMA1000 is at immediate risk, regardless of sector.
Action 2 — Review logs for indicators of compromise:
SonicWall and Rapid7 have published specific IOCs. Review: extraweb_access.log (look for requests to /wsproxy with anomalous host parameters), ctrl-service.log, and /var/lib/unit/conf.json (look for unauthorised modifications). Add specific detections for /api/login and /api/logout access patterns.
The patch does not remove an existing compromise. If IOCs are present, SonicWall recommends re-imaging physical appliances or redeploying virtual ones, changing all user and administrator passwords, and resetting TOTP tokens before returning to production.
Action 3 — Reduce attack surface while patching:
Restrict Work Place interface access via firewall rules limiting source IPs. This does not fully mitigate the vulnerability but reduces exposure while preparing the maintenance window.
Action 4 — Inventory and separate SMA1000 from other SonicWall products:
CVE-2026-15409 and CVE-2026-15410 do not affect SSL VPN on SonicWall firewalls or the SMA 100 Series. Verify precisely which devices are SMA1000 (6210, 7210, 8200v) before prioritising the patch plan.
Cybersecurity as a strategic priority
Q2 2026 has delivered an unambiguous conclusion for security leaders: perimeter appliances are target number one. Palo Alto, Check Point, Cisco SD-WAN, Fortinet and now SonicWall SMA1000, all with critical vulnerabilities exploited in production during the same period. For Spanish organisations using SMA1000 as their remote access gateway, today’s question is not whether to patch. It is whether they will patch before tomorrow’s deadline makes the question irrelevant.
Apolo Cybersecurity: urgent SonicWall SMA1000 patching and forensic analysis for CVE-2026-15409
At Apolo Cybersecurity we help organisations with SonicWall SMA1000 appliances respond to the active exploitation of CVE-2026-15409 and CVE-2026-15410: version status verification and SMA1000 inventory, urgent hotfix application, forensic log analysis for SonicWall and Rapid7 IOCs, compromised appliance re-imaging and credential rotation, and lateral impact assessment if the appliance was compromised before patching.