SonicWall SMA 1000 zero-days (CVE-2026-15409 & CVE-2026-15410): actively exploited - patch now
SonicWall disclosed two zero-days in its Secure Mobile Access 1000 appliances on 15 July 2026 - a CVSS 10.0 unauthenticated SSRF and a post-auth command injection in the management console. Both are being exploited in the wild. Here's the briefing, the IoCs to hunt for, and the action list.
Contents
The short version
Edge devices are the front door to the enterprise, which is exactly why attackers love them. A remote-access appliance sits on the internet by design, brokers connections into the network, and often runs with sweeping privileges. When one has a zero-day, it isn't a theoretical problem - it's a live one.
That's where SonicWall's Secure Mobile Access (SMA) 1000 Series appliances stand today. On 15 July 2026, SonicWall disclosed two zero-day vulnerabilities in these appliances, and both are already being exploited in the wild.
If you patch nothing else today: update affected SMA 1000 appliances to platform-hotfix 12.4.3-03453 or 12.5.0-02835 (or later), then hunt for indicators of compromise. Both hotfix lines address both CVEs.
What: a critical unauthenticated server-side request forgery (SSRF) flaw and a high-severity post-authentication command-injection flaw in the Appliance Management Console. Together they open a path to appliance compromise, arbitrary OS command execution with administrator privileges, and a foothold in your internal network.
The two vulnerabilities
| CVE | Flaw | CVSS | Auth required | Status |
|---|---|---|---|---|
| CVE-2026-15409 | Server-side request forgery (SSRF) | 10.0 | NONE | In the wild |
| CVE-2026-15410 | OS command injection in AMC | 7.2 | Post-auth | In the wild |
CVE-2026-15409 - SSRF (CVSS 10.0, Critical). A server-side request forgery flaw that lets a remote, unauthenticated attacker make the appliance send requests to unintended internal or external destinations. On its own, SSRF is a pivot: it can be used to reach systems the appliance can see but the attacker can't, probe internal services, and set up further attacks against the environment.
CVE-2026-15410 - Command injection (CVSS 7.2, High). A post-authentication code-injection flaw in the Appliance Management Console (AMC). Under certain conditions, an authenticated attacker can execute arbitrary operating-system commands with administrator privileges. SonicWall has confirmed this one is being actively exploited.
The danger is in the combination. A critical unauthenticated SSRF that softens the target, paired with an authenticated command-execution primitive on the same appliance, is the kind of pairing that turns "internet-facing device" into "attacker's entry point."
Reach
An unauthenticated attacker abuses the SSRF (CVE-2026-15409) to make the appliance issue requests on their behalf - reaching internal services and endpoints that were never meant to be exposed to the internet.
Execute
With a foothold in the management surface, the command-injection flaw (CVE-2026-15410) in the AMC yields arbitrary OS command execution with administrator privileges on the appliance itself.
Persist and pivot
From there the attacker can rewrite configuration, plant persistence that survives a reboot, harvest credentials and TOTP seeds, and move into the internal network the appliance was built to broker access into.
What's at stake
Successful exploitation can lead to:
- Unauthenticated SSRF forcing the appliance to make requests to internal or external systems (CVE-2026-15409).
- Administrator-level OS command execution through the management console by an authenticated attacker (CVE-2026-15410).
- Full compromise of the appliance - attackers can change configurations, establish persistence, and pivot into internal network resources.
- Access to sensitive data, service disruption, and broader exploitation of the enterprise environment off the back of that compromise.
Because these devices sit at the network edge and mediate remote access, a compromised appliance is rarely the end of the story - it's usually the beginning of one.
Pattern observation: this is the same appliance family we flagged in our March 2025 zero-day report for CVE-2025-23006 - a pre-auth deserialisation bug in the same Appliance Management Console, also exploited before disclosure. If your defence model still treats the SMA management plane as trusted infrastructure, the model needs an update.
Are you affected?
Anything below the fixed hotfixes should be treated as vulnerable. Start here:
- Check the software version of your SMA 1000 appliances from the Appliance Management Console (AMC).
- Consider the appliance vulnerable if it's running a version earlier than 12.4.3-03453 (platform-hotfix) or 12.5.0-02835 (platform-hotfix).
| Product | Affected versions | Status |
|---|---|---|
| SMA 1000 Series (12.4.3 branch) | Earlier than 12.4.3-03453 | VULNERABLE |
| SMA 1000 Series (12.5.0 branch) | Earlier than 12.5.0-02835 | VULNERABLE |
Hunt for indicators of compromise
Patching is only half the job on an actively exploited zero-day - you also need to confirm you weren't already hit. Review logs and configuration for these signs.
For CVE-2026-15409:
- In
extraweb_access.log, look for requests to the/__api__/loginor/__api__/logoutendpoints returning HTTP 200 - these may indicate malicious activity. - In the same log, look for requests to
/wsproxycarrying suspicious host parameters with HTTP 101 status, which can indicate exploitation attempts.
For CVE-2026-15410:
- Confirm the appliance has been updated to SonicWall's latest security hotfix.
- Review
ctrl-service.logfor unexpected hotfix-rollback events or entries containing path-traversal-style names. - Inspect
/var/lib/unit/conf.jsonfor unexpected routes to/__api__/loginor/__api__/logout- those endpoints should not exist in a legitimate configuration. - Watch administrator activity and system logs for unexpected command execution, configuration changes, or other anomalies.
If any of these indicators show up, treat the appliance as potentially compromised and move to a full forensic investigation following SonicWall's guidance.
What to do - in priority order
1. Patch immediately
Update affected SMA 1000 appliances to the fixed platform hotfixes:
- 12.4.3-03453 (platform-hotfix) or later, or
- 12.5.0-02835 (platform-hotfix) or later.
Both hotfix lines address both CVEs, so bring your appliance up to whichever branch matches your deployment. With confirmed exploitation, this deserves emergency-change treatment rather than your normal patch cadence.
2. If you find indicators of compromise, assume the worst and rebuild
A patched-but-already-breached appliance is still a breached appliance. If IoCs are present:
- Re-image physical appliances or redeploy virtual ones to strip out any malicious modifications.
- Change every user and administrator password.
- Reset all TOTP (time-based one-time password) tokens.
- Run a thorough forensic investigation to scope the full extent of the compromise.
3. Reduce exposure so the next zero-day hurts less
- Lock down the AMC and other administrative interfaces so they're reachable only from trusted management networks, with firewall rules that minimise unnecessary public exposure.
- Monitor continuously. Regularly review
extraweb_access.log,ctrl-service.log, and appliance configuration files for suspicious activity. - Enforce least privilege and apply security updates promptly as they're released.
An unauthenticated CVSS 10.0 on a device whose entire job is brokering remote access is as close to a worst case as edge security gets. Patch to the fixed hotfixes, verify you weren't already breached, and pull the management console back behind a trusted network - in that order.
- Staatse advisory desk, July 2026
Key takeaways
- CVE-2026-15409 is an unauthenticated CVSS 10.0 SSRF in SonicWall SMA 1000 appliances; CVE-2026-15410 is a post-auth command injection in the AMC granting administrator-level OS command execution.
- Both were disclosed on 15 July 2026 already under active exploitation - there was no patch-before-exploit window.
- The fixed builds are platform-hotfix 12.4.3-03453 and 12.5.0-02835; either line remediates both CVEs.
- Patching isn't enough. Check
extraweb_access.log,ctrl-service.log, and/var/lib/unit/conf.jsonfor the published IoCs - and if any hit, re-image, rotate every credential, and reset TOTP tokens.
The takeaway
Two zero-days in an internet-facing remote-access appliance, both under active exploitation, is a drop-everything situation. The remediation, at least, is clear: update to the fixed hotfixes, verify you weren't already compromised, and pull administrative access back behind trusted networks. Edge devices are the front door - and right now, this one needs a new lock.
Attackers move fast on appliance zero-days. Move faster.
If you want help confirming whether your remote-access estate was exposed - or hunting for a foothold if it was - our network penetration testing and web application security testing teams can scope an emergency review. Get in touch and we'll walk your team through it.