Skip to main content

Critical Vulnerabilities in SonicWall SMA1000 Series Appliances Exploited

Zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 may enable compromise of SonicWall SMA1000 appliances

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 may enable compromise of SonicWall SMA1000 appliances


Threat details

Exploitation of CVE-2026-15409 and CVE-2026-15410

SonicWall has stated that it has investigated multiple cases indicating the active exploitation of these vulnerabilities. SonicWall strongly urge customers to update to the relevant hotfix release as soon as possible to remediate these vulnerabilities.

Firewalls and other edge devices are internet-facing by design and are highly attractive targets to attackers, and there is an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. Organisations are strongly encouraged to follow NCSC's vulnerability management guidance, including patching edge devices as soon as possible if a critical vulnerability is identified.

The NHS England National CSOC assesses future exploitation of these vulnerabilities as almost certain.


Introduction

SonicWall has released a security advisory to address zero-day vulnerabilities in the SMA1000 Appliance Work Place interface and SMA1000 Appliance Management Console (AMC).

  • CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability with CVSSv3 score of 10. A remote, unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
  • CVE-2026-15410 is a code injection vulnerability in the management console of SMA1000 appliances with a CVSSv3 score of 7.2. In specific conditions, a remote attacker authenticated as administrator could potentially execute arbitrary OS commands.

Note: These vulnerabilities do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line.


Remediation advice

Affected organisations must review SonicWall's security advisory SNWLID-2026-0008 and apply the relevant updates as soon as possible. Additional recommended remediation steps below outline how to determine if an appliance has been compromised.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. 


Remediation steps

Type Step
Patch

Required: Organisations should patch to a fixed version:

  • 12.4.3-03453 (platform-hotfix) and higher versions.
  • 12.5.0-02835 (platform-hotfix) and higher versions.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008
Action

Strongly Recommended: Monitor for indicators of compromise (IoCs) on affected SMA1000 appliances.

  • In extraweb_access.log, check for requests to:

    • /__api__/login
    • /__api__/logout

    returning HTTP 200.

 

  • In extraweb_access.log, check for requests to:

    • /wsproxy

    with suspicious host parameters and HTTP 101 status codes. 

 

  • In ctrl-service.log, look for hotfix rollbacks that include path traversal-style names. 

  • Check /var/lib/unit/conf.json for routes to:

    • /__api__/login
    • /__api__/logout

    These routes are not present in legitimate configurations.

 

  • If IoCs are found:
    • Re-image hardware appliances or re-deploy virtual appliances.
    • Change all user and administrator passwords.
    • Reset TOTP tokens.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. 


https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008


Last edited: 15 July 2026 11:32 am