SMA1000 AMC code injection exploited in wild (CVE-2026-15410)
CVE-2026-15410
CVE-2026-15410: Actively exploited post-auth code injection in SMA1000 AMC lets admin execute OS commands (CVSS 7.2). Apply vendor patch immediately; see advisory for mitigations.
Actively exploited in the wild - CVE-2026-15410 is a high-severity code injection vulnerability in the SMA1000 Appliance Management Console (AMC) that lets authenticated administrators execute arbitrary OS commands on the appliance. Patched in the latest SMA1000 firmware; update immediately.
Overview
CVE-2026-15410 is a post-authentication code injection vulnerability affecting the SMA1000 Appliance Management Console. The flaw exists in the AMC’s code generation process, where improper control of dynamically generated code allows an authenticated attacker with administrator privileges to inject and execute arbitrary operating system commands under specific conditions. With a CVSS score of 7.2 (High), this vulnerability requires network access and high privileges (admin) but no user interaction, making it a targeted threat for attackers who have already compromised an administrative account.
The vulnerability has been confirmed by CISA as actively exploited in the wild and is listed in the Known Exploited Vulnerabilities (KEV) catalog.
Impact
Successful exploitation allows a remote authenticated administrator to execute arbitrary OS commands on the affected SMA1000 appliance. This can lead to full compromise of the appliance, including:
- Installation of persistent backdoors
- Exfiltration of firewall logs and configuration data
- Lateral movement within the network by leveraging the compromised appliance as a pivot point
- Disruption of VPN services and network traffic inspection
While the vulnerability requires administrative credentials, the active exploitation status means organizations running vulnerable versions should treat any admin account as a potential initial access vector.
Affected Products
The vulnerability affects the SMA1000 Appliance Management Console across all firmware versions prior to the patched release. Organizations should check their SMA1000 version against the vendor security advisory.
Remediation
The vendor has released a firmware update addressing CVE-2026-15410. Organizations should:
- Update SMA1000 firmware to the latest patched version immediately.
- Audit all administrative accounts for signs of compromise.
- Review AMC logs for unusual command execution or configuration changes.
- Implement network segmentation to restrict AMC access to trusted management networks only.
- Enable multi-factor authentication for all administrative access to the SMA1000.
Security Insight
CVE-2026-15410 joins a growing list of post-authentication vulnerabilities in network appliance management interfaces that are being actively exploited, often as part of initial access broker campaigns. The pattern is consistent: a vendor appliance’s management console offers rich functionality to administrators, but the code injection surface in these admin panels receives less scrutiny than core networking functions. This highlights a broader industry lesson — appliance management interfaces have become a prime target for attackers who have obtained credentials through phishing or credential stuffing, and should be treated with the same security rigor as VPN portals and web applications. For ongoing coverage of supply chain threats targeting security appliances, see our security news section and breach reports for related campaign analysis.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1....
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to i...
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the comm...
All versions of the package jsonpath are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JS...