CyberSecurity

SonicWall Rushes Patches for Two Zero-Days Hitting SMA1000 Appliances

Published

on

Two Zero-Days Under Active Attack

SonicWall is sounding the alarm over two freshly discovered zero-day vulnerabilities that attackers are already exploiting in the wild. The flaws — tracked as CVE-2026-15409 and CVE-2026-15410 — target the company’s SMA1000 series of secure remote access appliances. Organizations using these devices need to act fast.

Both vulnerabilities were disclosed on July 15, 2026, and the vendor has confirmed that exploitation is underway. According to SonicWall’s PSIRT team, the company investigated multiple incidents where these holes were actively used against customers.

What the Flaws Actually Do

The first bug, CVE-2026-15409, is a critical server-side request forgery (SSRF) issue. It lives in the Appliance Work Place interface. An unauthenticated attacker can exploit it remotely, forcing the targeted appliance to send requests to unintended locations. That kind of access can open the door to internal network reconnaissance or data theft.

The second vulnerability, CVE-2026-15410, carries a high-severity rating. It’s a code injection flaw inside the Appliance Management Console (AMC). To use it, an attacker needs admin privileges — but once they have them, they can execute arbitrary OS commands on the device. That’s full control, essentially.

The two SonicWall SMA zero-day vulnerabilities can be chained together. An attacker might use the SSRF bug to gain a foothold and then escalate to code execution via the AMC flaw. Remote code execution scenarios like this are exactly what keep security teams up at night.

Affected Products and the Fix

The vulnerable hardware includes SMA1000 models 6210, 7210, and the virtual appliance 8200v. SonicWall has shipped hotfix releases — version 12.4.3-03453 and version 12.5.0-02835 — that address both issues. The company is urging every enterprise running these appliances to update immediately.

There is no workaround. If you’re on an affected version, the only safe move is to patch. Delaying carries real risk, especially given the active exploitation reports.

CISA Weighs In, IoCs Released

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been given until July 17 to remediate the issues. That’s a tight deadline — just two days from the disclosure date — which underscores the severity of the threat.

SonicWall has also shared indicators of compromise (IoCs) to help defenders detect whether their networks have been hit. The company hasn’t named the threat actor behind the attacks, but the patterns suggest a targeted campaign, not random scanning.

Cybersecurity firm Volexity assisted SonicWall in the investigation. So far, Volexity hasn’t published its own analysis, but that may change soon. The security community will be watching closely for technical deep-dives.

Not the First Time for SonicWall

This isn’t an isolated incident. SonicWall products have been a frequent target for both criminal gangs and state-backed hackers. CISA’s KEV catalog now lists 17 SonicWall flaws, including several that affect the SMA1000 line. The pattern is clear: attackers see these appliances as high-value entry points into corporate networks.

For IT and security teams, the takeaway is straightforward. Check your SMA1000 firmware version. If it’s not on the hotfix builds, schedule the update now. Given that exploitation is confirmed and CISA is pushing for immediate action, waiting is not an option.

Related Reading

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version