SMA1000 Appliance SSRF exploited in wild (CVE-2026-15409)
CVE-2026-15409
CVE-2026-15409: SMA1000 Appliance Work Place SSRF lets unauthenticated attackers reach internal services (CVSS 10.0). Patched; apply update now.
Actively exploited in the wild - CVE-2026-15409 is a critical Server-side Request Forgery (SSRF) in the SMA1000 Appliance Work Place interface that allows an unauthenticated attacker to make the appliance send requests to unintended internal or external locations. CISA has confirmed active exploitation, and a patch is available - update immediately.
Overview
CVE-2026-15409 is a maximum-criticality Server-side Request Forgery (SSRF) vulnerability in the Work Place interface of SMA1000 Appliance firmware. The vulnerability carries a CVSS score of 10.0, with a network-based attack vector, low attack complexity, no required privileges, and no user interaction. An attacker who can reach the Work Place web interface can make the appliance act as a proxy, sending crafted requests to any internal network resource the appliance can access. This enables reconnaissance of adjacent internal services, data exfiltration from systems the appliance trusts, and potential lateral movement into the internal network.
The vulnerability has been listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively targeting SMA1000 Appliance deployments in the wild. The affected component is the Work Place interface, which is exposed to network traffic and intended for end-user access.
Impact
A successful SSRF attack against the SMA1000 Appliance allows an unauthenticated remote attacker to:
- Probe internal network services behind the appliance’s firewall — services that are not directly exposed to the internet.
- Read metadata or configuration files from cloud provider endpoints (e.g., AWS/169.254.169.254) if the appliance runs in a cloud environment.
- Launch further attacks against internal databases, management interfaces, or other appliances that trust the originating SMA1000 appliance.
Because the CVSS score is 10.0, any vulnerable SMA1000 Appliance is a trivial target for automated scanning and exploitation.
Remediation
SonicWall has released a firmware update that patches CVE-2026-15409. Organizations must apply the latest SMA1000 firmware immediately. No workarounds are available.
If immediate patching is not possible, block access to the Work Place interface at the network perimeter until the update can be applied. Specifically, restrict source IPs that can reach the SMA1000 Appliance to trusted management networks or VPN gateways, and consider deploying a web application firewall (WAF) with SSRF detection rules as a temporary mitigation.
Security Insight
CVE-2026-15409 illustrates a pattern that continues to plague enterprise appliances: network-facing management interfaces that trust inbound requests without validating the destination. The SMA1000 case is especially concerning because a CVSS 10.0 SSRF rarely appears in CISA KEVs, signaling that attackers have both the motivation and the tooling to weaponize this class of flaw even when the immediate impact is “only” indirect access rather than direct RCE. Organizations should inventory any appliance or gateway with a “portal” or “Work Place” interface and verify that it cannot be used as a pivot point into the internal network. For the latest cybersecurity news and breach reports, visit security news and breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has be...
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network....
Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network....
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API c...