Critical Vulnerability

SonicWall SMA 1000 zero-days exploited in attacks

SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released

What Happened

SonicWall has issued an urgent security advisory warning that two zero-day vulnerabilities in the Secure Mobile Access (SMA) 1000 series appliances are under active exploitation. Tracked as CVE-2026-15409 and CVE-2026-15410, the flaws were discovered during an investigation into anomalous traffic on SMA 1000 units. SonicWall has released patches and strongly urged all customers to update immediately, noting that exploitation has been observed in zero-day attacks prior to any public disclosure.

Why It Matters

The SMA 1000 series is a widely deployed network gateway for remote access, making these devices a high-value target for threat actors. With one vulnerability enabling arbitrary command execution with administrative privileges, an unpatched appliance effectively grants an attacker full control over network traffic, credentials, and lateral movement paths. For organizations using SMA 1000 as a remote access VPN or SSL VPN gateway, a successful compromise undermines the perimeter security that remote workers rely on. Given the history of gateway-targeting ransomware groups and state-sponsored actors, the urgency of patching cannot be overstated.

Technical Details

CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability in the SMA 1000 appliance. An unauthenticated attacker can send specially crafted HTTP requests to the management interface, tricking the appliance into making internal network requests. This could expose internal services, bypass firewall rules, or pivot to other systems.

CVE-2026-15410 is a critical code injection flaw in the SMA 1000’s Appliance Management Console (AMC). Exploited properly, it allows an attacker to execute arbitrary commands as the root or admin user. This is the more severe of the two, as it directly leads to full device compromise.

Both vulnerabilities were exploited in coordination, likely with the SSRF used as an initial reconnaissance or access vector before the code injection triggered command execution. Affected firmware versions include all SMA 1000 releases prior to the latest patched build. No public proof-of-concept code or IOCs have been released by SonicWall, though network logs showing unusual requests to the SMA management interface (typically on TCP port 443 or 8443) should be investigated.

Immediate Risk

The risk is critical for any organization running an unpatched SonicWall SMA 1000 appliance. Since these vulnerabilities are already exploited in the wild, patching must be treated as an emergency change. Organizations should prioritize isolating SMA 1000 appliances from untrusted networks until patched, restrict management interface access to trusted IPs, and review logs for signs of unauthorized access or command execution. There is currently no evidence of a CISA KEV listing, but given the severity and active exploitation, it is likely imminent.

Security Insight

The pairing of an SSRF with a command injection vulnerability illustrates a common but often overlooked attack chain: using a lower-severity bug (SSRF) to map internal infrastructure and validate access before delivering the higher-impact payload. This mirrors the 2021 Hafnium Exchange Server attacks, where SSRF enabled initial foothold and privilege escalation followed. For defenders, this highlights the danger of prioritising only “critical” CVSS scores while ignoring chained lower-severity flaws in the same product. Any vulnerability on a perimeter gateway should be patched with equal urgency, regardless of its theoretical score.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Related News

Related Across Yazoul

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.