SonicWall SMA 1000 zero-days exploited in attacks
SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released
What Happened
SonicWall has issued an urgent security advisory warning that two zero-day vulnerabilities in the Secure Mobile Access (SMA) 1000 series appliances are under active exploitation. Tracked as CVE-2026-15409 and CVE-2026-15410, the flaws were discovered during an investigation into anomalous traffic on SMA 1000 units. SonicWall has released patches and strongly urged all customers to update immediately, noting that exploitation has been observed in zero-day attacks prior to any public disclosure.
Why It Matters
The SMA 1000 series is a widely deployed network gateway for remote access, making these devices a high-value target for threat actors. With one vulnerability enabling arbitrary command execution with administrative privileges, an unpatched appliance effectively grants an attacker full control over network traffic, credentials, and lateral movement paths. For organizations using SMA 1000 as a remote access VPN or SSL VPN gateway, a successful compromise undermines the perimeter security that remote workers rely on. Given the history of gateway-targeting ransomware groups and state-sponsored actors, the urgency of patching cannot be overstated.
Technical Details
CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability in the SMA 1000 appliance. An unauthenticated attacker can send specially crafted HTTP requests to the management interface, tricking the appliance into making internal network requests. This could expose internal services, bypass firewall rules, or pivot to other systems.
CVE-2026-15410 is a critical code injection flaw in the SMA 1000’s Appliance Management Console (AMC). Exploited properly, it allows an attacker to execute arbitrary commands as the root or admin user. This is the more severe of the two, as it directly leads to full device compromise.
Both vulnerabilities were exploited in coordination, likely with the SSRF used as an initial reconnaissance or access vector before the code injection triggered command execution. Affected firmware versions include all SMA 1000 releases prior to the latest patched build. No public proof-of-concept code or IOCs have been released by SonicWall, though network logs showing unusual requests to the SMA management interface (typically on TCP port 443 or 8443) should be investigated.
Immediate Risk
The risk is critical for any organization running an unpatched SonicWall SMA 1000 appliance. Since these vulnerabilities are already exploited in the wild, patching must be treated as an emergency change. Organizations should prioritize isolating SMA 1000 appliances from untrusted networks until patched, restrict management interface access to trusted IPs, and review logs for signs of unauthorized access or command execution. There is currently no evidence of a CISA KEV listing, but given the severity and active exploitation, it is likely imminent.
Security Insight
The pairing of an SSRF with a command injection vulnerability illustrates a common but often overlooked attack chain: using a lower-severity bug (SSRF) to map internal infrastructure and validate access before delivering the higher-impact payload. This mirrors the 2021 Hafnium Exchange Server attacks, where SSRF enabled initial foothold and privilege escalation followed. For defenders, this highlights the danger of prioritising only “critical” CVSS scores while ignoring chained lower-severity flaws in the same product. Any vulnerability on a perimeter gateway should be patched with equal urgency, regardless of its theoretical score.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabiliti
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. 'Although tactics differ between