Critical Vulnerabilities in SonicWall SMA1000 Series Appliances Exploited
Zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 may enable compromise of SonicWall SMA1000 appliances
Summary
Zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 may enable compromise of SonicWall SMA1000 appliances
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2026-15409 and CVE-2026-15410
SonicWall has stated that it has investigated multiple cases indicating the active exploitation of these vulnerabilities. SonicWall strongly urge customers to update to the relevant hotfix release as soon as possible to remediate these vulnerabilities.
Firewalls and other edge devices are internet-facing by design and are highly attractive targets to attackers, and there is an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. Organisations are strongly encouraged to follow NCSC's vulnerability management guidance, including patching edge devices as soon as possible if a critical vulnerability is identified.
The NHS England National CSOC assesses future exploitation of these vulnerabilities as almost certain.
Introduction
SonicWall has released a security advisory to address zero-day vulnerabilities in the SMA1000 Appliance Work Place interface and SMA1000 Appliance Management Console (AMC).
- CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability with CVSSv3 score of 10. A remote, unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
- CVE-2026-15410 is a code injection vulnerability in the management console of SMA1000 appliances with a CVSSv3 score of 7.2. In specific conditions, a remote attacker authenticated as administrator could potentially execute arbitrary OS commands.
Note: These vulnerabilities do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line.
Remediation advice
Affected organisations must review SonicWall's security advisory SNWLID-2026-0008 and apply the relevant updates as soon as possible. Additional recommended remediation steps below outline how to determine if an appliance has been compromised.
If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected].
Remediation steps
| Type | Step |
|---|---|
| Patch |
Required: Organisations should patch to a fixed version:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008 |
| Action |
Strongly Recommended: Monitor for indicators of compromise (IoCs) on affected SMA1000 appliances.
If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008 |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 15 July 2026 11:32 am