• 2 min read
SonicWall says SMA1000 zero-days are under attack
SonicWall has patched two actively exploited SMA1000 flaws, including a CVSS 10.0 SSRF bug, and says customers should update immediately.

Image: BleepingComputer
SonicWall is warning customers to patch SMA1000 appliances immediately after confirming active zero-day exploitation of two vulnerabilities: CVE-2026-15409 and CVE-2026-15410.
CVE-2026-15409 is a critical CVSS 10.0 server-side request forgery (SSRF) flaw in the SMA1000 Appliance Work Place interface. SonicWall says it lets a remote, unauthenticated attacker force an appliance to send requests to unintended locations. CVE-2026-15410 is a high-severity CVSS 7.2 post-authentication code injection bug in the SMA1000 Appliance Management Console that could let a remote authenticated administrator run arbitrary operating system commands.
Even though CVE-2026-15410 requires administrator privileges, SonicWall assigned the advisory an overall CVSS score of 10.0. The company said it investigated multiple incidents and verified that both flaws are being exploited in the wild.
“SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory.” “Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities”
SonicWall has not said whether attackers are chaining the two bugs together. According to the advisory, the affected products are SMA1000 models 6210, 7210, and 8200v running these platform-hotfix releases:
- 12.4.3-03245
- 12.4.3-03387
- 12.4.3-03434
- 12.5.0-02283
- 12.5.0-02624
- 12.5.0-02800
Fixes are available in 12.4.3-03453 and 12.5.0-02835, and later releases. SonicWall said the flaws do not affect SSL-VPN on SonicWall firewalls or the SMA 100 Series.

Recommended reading
Anthropic finds Claude Code used in mostly automated hack
The company also published indicators of compromise administrators should check for, including:
- Requests in extraweb_access.log to /__api__/login or /__api__/logout with HTTP 200 status
- Requests in extraweb_access.log to /wsproxy with suspicious host parameters and 101 HTTP status
- Mentions in ctrl-service.log of hotfix rollbacks with path traversal names
- /var/lib/unit/conf.json containing routes for /__api__/login or /__api__/logout, which SonicWall says do not exist in legitimate configurations
If compromise is found, SonicWall recommends re-imaging physical appliances or redeploying virtual ones, changing all user and administrator passwords, and resetting TOTP tokens. The company said there are no workarounds or mitigations beyond installing the hotfixes.
The U.S. Cybersecurity and Infrastructure Security Agency has added both flaws to its Known Exploited Vulnerabilities catalog. Federal agencies have until July 17, 2026 to secure affected systems under Binding Operational Directive 26-04 or stop using the product if they cannot apply mitigations.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


