Critical (10.0) Actively Exploited

SMA1000 Appliance SSRF exploited in wild (CVE-2026-15409)

CVE-2026-15409

CVE-2026-15409: SMA1000 Appliance Work Place SSRF lets unauthenticated attackers reach internal services (CVSS 10.0). Patched; apply update now.

Actively exploited in the wild - CVE-2026-15409 is a critical Server-side Request Forgery (SSRF) in the SMA1000 Appliance Work Place interface that allows an unauthenticated attacker to make the appliance send requests to unintended internal or external locations. CISA has confirmed active exploitation, and a patch is available - update immediately.

Overview

CVE-2026-15409 is a maximum-criticality Server-side Request Forgery (SSRF) vulnerability in the Work Place interface of SMA1000 Appliance firmware. The vulnerability carries a CVSS score of 10.0, with a network-based attack vector, low attack complexity, no required privileges, and no user interaction. An attacker who can reach the Work Place web interface can make the appliance act as a proxy, sending crafted requests to any internal network resource the appliance can access. This enables reconnaissance of adjacent internal services, data exfiltration from systems the appliance trusts, and potential lateral movement into the internal network.

The vulnerability has been listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively targeting SMA1000 Appliance deployments in the wild. The affected component is the Work Place interface, which is exposed to network traffic and intended for end-user access.

Impact

A successful SSRF attack against the SMA1000 Appliance allows an unauthenticated remote attacker to:

  • Probe internal network services behind the appliance’s firewall — services that are not directly exposed to the internet.
  • Read metadata or configuration files from cloud provider endpoints (e.g., AWS/169.254.169.254) if the appliance runs in a cloud environment.
  • Launch further attacks against internal databases, management interfaces, or other appliances that trust the originating SMA1000 appliance.

Because the CVSS score is 10.0, any vulnerable SMA1000 Appliance is a trivial target for automated scanning and exploitation.

Remediation

SonicWall has released a firmware update that patches CVE-2026-15409. Organizations must apply the latest SMA1000 firmware immediately. No workarounds are available.

If immediate patching is not possible, block access to the Work Place interface at the network perimeter until the update can be applied. Specifically, restrict source IPs that can reach the SMA1000 Appliance to trusted management networks or VPN gateways, and consider deploying a web application firewall (WAF) with SSRF detection rules as a temporary mitigation.

Security Insight

CVE-2026-15409 illustrates a pattern that continues to plague enterprise appliances: network-facing management interfaces that trust inbound requests without validating the destination. The SMA1000 case is especially concerning because a CVSS 10.0 SSRF rarely appears in CISA KEVs, signaling that attackers have both the motivation and the tooling to weaponize this class of flaw even when the immediate impact is “only” indirect access rather than direct RCE. Organizations should inventory any appliance or gateway with a “portal” or “Work Place” interface and verify that it cannot be used as a pivot point into the internal network. For the latest cybersecurity news and breach reports, visit security news and breach reports.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Related Advisories

Related Across Yazoul

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.