SonicWall SMA1000 CVEs Hit CISA KEV After Zero-Day Attacks

SonicWall patched actively exploited SMA1000 SSRF and code-injection flaws. Admins should move to fixed hotfix builds and review IOC logs, not just patch.

SonicWall has patched two actively exploited SMA1000 vulnerabilities, and CISA has now added both flaws to its Known Exploited Vulnerabilities catalog with a July 17, 2026 remediation deadline for covered federal agencies.[1] The issues are CVE-2026-15409, a critical pre-authentication server-side request forgery flaw, and CVE-2026-15410, a post-authentication code-injection flaw that can lead to remote command execution from the Appliance Management Console.[2]

The short version for defenders is simple: if you run SonicWall SMA 1000 Series appliances on the affected hotfix trains, install the fixed build and then perform an IOC review. SonicWall’s own notice says the vulnerabilities have been confirmed as exploited in the wild, and its remediation guidance explicitly warns customers to look for compromise indicators instead of treating the firmware update as the whole response.[2]

The affected product family is SonicWall Secure Mobile Access 1000 Series, including SMA6210, SMA7210, SMA8200v, and CMS deployments across supported hypervisors. SonicWall lists impacted platform-hotfix versions as 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. Fixed versions are 12.4.3-03453 or later, and 12.5.0-02835 or later.[2]

CVE-2026-15409 is the more exposed entry point because it is unauthenticated. SonicWall describes it as an SSRF issue in the SMA1000 Appliance Work Place interface that could cause the appliance to make requests to unintended locations.[2] On a remote-access gateway, that distinction matters: an internet-facing system may be able to reach internal services, authentication infrastructure, or management paths that external attackers cannot reach directly.

CVE-2026-15410 requires administrative authentication, but the impact is still serious. The flaw is a code-injection issue in the SMA1000 Appliance Management Console and can allow a remote authenticated administrator to execute arbitrary operating-system commands under specific conditions.[2] Help Net Security reported that, in observed attacks, the two bugs have been exploited in tandem, which makes credential, session, and admin-account review part of the practical response rather than an optional cleanup step.[3]

What SMA1000 Admins Should Check Now

Start with inventory. Confirm every production, standby, lab, disaster-recovery, and virtual SMA1000 instance, then compare the installed hotfix level with SonicWall’s affected and fixed versions. Remote-access appliances are the same class of high-value perimeter target seen in recent VPN incidents, including older SonicWall VPN attacks, Fortinet VPN credential exposure, and Check Point VPN exploitation.

Next, patch to the appropriate fixed branch: 12.4.3-03453 or higher for affected 12.4.3 deployments, and 12.5.0-02835 or higher for affected 12.5.0 deployments.[2] If the appliance is internet-facing, prioritize the maintenance window as an incident-response action, not a routine update. CISA’s KEV listing is a signal that exploitation evidence exists, even though public reporting has not identified a threat actor, victim set, or full exploit chain.[1]

After patching, review SonicWall’s listed indicators. The company calls out extraweb_access.log entries for /_api_/login and /__api__/logout returning HTTP 200, suspicious /wsproxy requests with host parameters and HTTP 101, ctrl-service.log entries mentioning hotfix removal with a path-traversal name, and unexpected /var/lib/unit/conf.json routes for /__api__/login or /__api__/logout.[2]

If those indicators appear, SonicWall advises re-imaging hardware appliances or re-deploying virtual appliances, changing user and administrator passwords, and resetting TOTP tokens.[2] That is a stronger response than ordinary patch management, but it matches the risk profile of a remote-access gateway that may handle credentials, sessions, and privileged administrative paths.

Configuration backups also deserve caution. SonicWall says backups should only be used if they pre-date installation of the December hotfix versions 12.4.3-03245 and 12.5.0-02283; otherwise, admins should closely audit the configuration for tampering.[2] For organizations that cannot immediately prove a clean state, the safer assumption is that the appliance needs both firmware remediation and forensic validation.

The broader lesson is familiar: edge access products are not just another patch queue item. They sit between the internet and the internal network, often with identity and MFA dependencies nearby. Treat this SonicWall update as a combined patch, log-review, credential, and configuration-hardening task.

References

  1. CISA. “CISA Adds Four Known Exploited Vulnerabilities to Catalog.” July 14, 2026. https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog
  2. SonicWall. “Product Notice: SMA 1000 Series affected by Multiple Vulnerabilities.” Published July 14, 2026. https://www.sonicwall.com/support/notices/product-notice-sma-1000-series-affected-by-multiple-vulnerabilities/kA1VN000001nv6D0AQ
  3. Help Net Security. “SonicWall SMA appliances targeted in zero-day attacks (CVE-2026-15409, CVE-2026-15410).” July 14, 2026. https://www.helpnetsecurity.com/2026/07/14/sonicwall-sma-attacks-via-cve-2026-15409-cve-2026-15410/
  4. BleepingComputer. “SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now.” July 14, 2026. https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-flaws-exploited-in-zero-day-attacks-patch-now/

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment