Full Report
SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to
Analysis Summary
This summary provides a technical overview of the security vulnerabilities impacting SonicWall Secure Mobile Access (SMA) 1000 series appliances as reported in July 2026.
# Vulnerability: SonicWall SMA 1000 Zero-Day Flaws
## CVE Details
- **CVE ID:** CVE-2026-15409
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Server-Side Request Forgery (SSRF)
- **CVE ID:** CVE-2026-15410
- **CVSS Score:** 7.2 (High)
- **CWE:** OS Command Injection (Post-Authentication)
## Affected Systems
- **Products:** SonicWall Secure Mobile Access (SMA) 1000 series appliances.
- **Versions:** Versions prior to 12.4.3-03453 and 12.5.0-02835.
- **Configurations:** Virtual and physical appliances are both impacted; CVE-2026-15410 specifically targets the Appliance Management Console (AMC).
## Vulnerability Description
CVE-2026-15409 is a critical SSRF vulnerability that allows a remote, unauthenticated attacker to force the appliance to make requests to unintended internal or external locations. This can be used to bypass perimeter security or access internal services.
CVE-2026-15410 is a code injection vulnerability located within the AMC. A remote attacker with existing credentials can exploit this flaw to execute arbitrary OS commands as an administrator, potentially gaining full control over the appliance configuration.
## Exploitation
- **Status:** Exploited in the wild (Zero-day); confirmed by SonicWall PSIRT and Volexity. Added to CISA KEV catalog.
- **Complexity:** Low (CVE-2026-15409) / Medium (CVE-2026-15410).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full data access potential).
- **Integrity:** High (Administrative command execution).
- **Availability:** High (Device control and potential for disruption).
## Remediation
### Patches
SonicWall has released platform-hotfixes to address these flaws. Administrators should upgrade to:
- **12.4.3-03453** (platform-hotfix) or higher.
- **12.5.0-02835** (platform-hotfix) or higher.
### Workarounds
No specific non-patch workarounds were provided in the bulletin. Organizations unable to patch immediately should restrict access to the AMC interface and monitor logs for the indicators listed below.
## Detection
**Indicators of Compromise (IoCs):**
* **Log Entries (extraweb_access.log):** Presence of requests to `/__api__/login` or `/__api__/logout` returning an HTTP 200 status.
* **Log Entries (extraweb_access.log):** Requests to `/wsproxy` containing suspicious host parameters returning an HTTP 101 status.
* **Log Entries (ctrl-service.log):** Mentions of hotfix rollbacks associated with path traversal filenames.
* **System Configuration:** If the file `/var/lib/unit/conf.json` contains routes for `/__api__/login` or `/__api__/logout`.
**Post-Compromise Actions:**
If IoCs are detected, SonicWall recommends re-imaging physical appliances (or redeploying virtual ones), updating all passwords, and resetting TOTP tokens.
## References
- SonicWall Security Advisory: hxxps[://]psirt[.]global[.]sonicwall[.]com/vuln-detail/SNWLID-2026-0008
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- The Hacker News Article: hxxps[://]thehackernews[.]com/2026/07/two-sonicwall-sma-1000-zero-days[.]html