SonicWall reports that two critical SMA1000 vulnerabilities (CVE‑2026‑15409 and CVE‑2026‑15410) are being actively leveraged in zero‑day attacks. The vendor urges all customers to apply the newly released hot‑fixes without delay.

Key Takeaways

  • Two new vulnerabilities (CVE‑2026‑15409, CVE‑2026‑15410) are actively exploited in zero‑day attacks.
  • SonicWall has released hot‑fixes for all affected SMA1000 models.
  • The U.S. CISA added these flaws to its KEV catalog, prompting immediate federal remediation.

Cyber‑security firm SonicWall issued an urgent advisory today, warning that threat actors are actively exploiting two newly disclosed SMA1000 vulnerabilities – CVE‑2026‑15409 and CVE‑2026‑15410. The former is a critical (CVSS 10.0) server‑side request forgery (SSRF) bug, while the latter is a high‑severity (CVSS 7.2) post‑authentication code‑injection flaw.

Technical Details and Severity

CVE‑2026‑15409 allows an unauthenticated remote attacker to coerce the appliance into sending requests to arbitrary internal or external endpoints, effectively bypassing network segmentation. CVE‑2026‑15410 requires a valid administrator session but enables the attacker to execute arbitrary operating‑system commands on the underlying host. Although CVE‑2026‑15410 needs admin privileges, SonicWall assigned the advisory an overall CVSS score of 10.0, reflecting the combined impact when both bugs are chained.

Affected Devices and Patch Availability

The flaws affect SMA1000 series models 6210, 7210 and 8200v running platform‑hotfix releases 12.4.3‑03245, 12.4.3‑03387, 12.4.3‑03434, 12.5.0‑02283, 12.5.0‑02624 and 12.5.0‑02800. SonicWall has released hot‑fixes in platform‑hotfix versions 12.4.3‑03453 and 12.5.0‑02835, and recommends immediate upgrade to these or any later release. The company clarified that SSL‑VPN functionality and the broader SMA‑100 series are not impacted.

Indicators of Compromise (IOCs)

To aid administrators in detection, SonicWall shared specific IOCs: unexpected /__api__/login or /__api__/logout requests with HTTP 200 in extraweb_access.log, suspicious /wsproxy calls with HTTP 101, hot‑fix rollback entries in ctrl-service.log, and anomalous route entries in /var/lib/unit/conf.json. If any of these signs are observed, the recommendation is to re‑image physical devices or redeploy virtual appliances, rotate all credentials, and reset TOTP tokens.

U.S. Government Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Under Binding Operational Directive (BOD) 26‑04, federal agencies must remediate affected systems by July 17, 2026, or discontinue use of the vulnerable products.

Industry analysts stress that this episode underscores the necessity of rapid patch cycles and continuous vulnerability management, especially as automated exploit kits lower the barrier for threat actors. Organizations that rely on SMA1000 appliances should treat this as a wake‑up call to integrate regular hot‑fix testing into their broader security‑as‑code pipelines.