SonicWall urges urgent patching after exploitation of two SMA1000 flaws

SonicWall is urging customers to update SMA1000 appliances after confirming that attackers are exploiting two vulnerabilities in zero-day campaigns. The flaws, tracked as CVE-2026-15409 and CVE-2026-1...

SonicWall is urging customers to update SMA1000 appliances after confirming that attackers are exploiting two vulnerabilities in zero-day campaigns. The flaws, tracked as CVE-2026-15409 and CVE-2026-15410, affect the Appliance Work Place interface and Appliance Management Console.

CVE-2026-15409 is a critical server-side request forgery vulnerability with a CVSS score of 10.0. It can be exploited remotely without authentication to make an appliance send requests to unintended destinations. CVE-2026-15410 is a high-severity post-authentication code-injection issue, rated CVSS 7.2, that could enable an authenticated administrator to run arbitrary operating-system commands. SonicWall assigned the advisory an overall score of 10.0.

The vendor said its product security team investigated multiple incidents and found evidence of active exploitation. It has not said whether attackers are combining the two vulnerabilities in the same campaigns.

Affected products and fixes

The issues affect SMA1000 6210 and 7210 appliances, along with the 8200v virtual appliance, when running specified 12.4.3 or 12.5.0 platform-hotfix releases. SonicWall has issued fixes in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, as well as later versions. The company says there are no alternative mitigations or workarounds.

The vulnerabilities do not affect SSL-VPN functionality on SonicWall firewalls or the SMA 100 product family. The U.S. Cybersecurity and Infrastructure Security Agency has added both CVEs to its Known Exploited Vulnerabilities catalog. Under federal guidance, U.S. agencies must address the flaws by July 17, 2026, or stop using affected products if they cannot apply the fixes.

Checks for possible compromise

Administrators should review appliance logs and configuration files for indicators supplied by SonicWall, including successful requests to /__api__/login or /__api__/logout, suspicious /wsproxy requests returning HTTP 101, hotfix rollbacks using path-traversal filenames, and unexpected routes for those API paths in /var/lib/unit/conf.json.

If compromise is suspected, SonicWall recommends reimaging physical appliances or redeploying virtual ones, changing administrator and user passwords, and resetting TOTP tokens. Organizations should install the applicable hotfix and investigate for additional unauthorized activity.