SonicWall Urges Immediate Patches for Actively Exploited Zero-Day Vulnerabilities in SMA1000
SonicWall has issued an urgent warning to customers regarding two actively exploited zero-day vulnerabilities, **CVE-2026-15409** and **CVE-2026-15410**, impacting its **SMA1000** appliances. These critical flaws are being leveraged in targeted attacks, prompting the cybersecurity vendor to release immediate hotfixes and strongly recommend prompt installation to prevent compromise.

**SonicWall** is sounding the alarm, advising customers to promptly apply security updates for two critical vulnerabilities, **CVE-2026-15409** and **CVE-2026-15410**, found in its **SMA1000** appliances. Both flaws are reportedly being actively exploited in zero-day attacks.
### Critical SSRF and Code Injection Flaws
**CVE-2026-15409** is a critical (CVSS 10.0) server-side request forgery (SSRF) vulnerability affecting the **SMA1000 Appliance WorkPlace** interface. This flaw allows a remote, unauthenticated attacker to force the appliance to make requests to unintended internal or external locations.
**CVE-2026-15410** is a high-severity (CVSS 7.2) post-authentication code injection flaw. Located in the **SMA1000 Appliance Management Console**, it could enable a remote, authenticated administrator to execute arbitrary operating system commands. Despite requiring administrator privileges, **SonicWall** has assigned the advisory an overall CVSS score of 10.0, underscoring the potential severity if chained with other vulnerabilities or exploited by an insider.
### Active Exploitation Confirmed
**SonicWall**'s **Product Security Incident Response Team (PSIRT)** has confirmed active exploitation after investigating multiple incidents. The company's advisory explicitly states, "**SonicWall PSIRT** has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory." Customers are urged to upgrade to the hotfix release as soon as possible.
While active exploitation is confirmed for both, **SonicWall** has not yet disclosed whether attackers are chaining these vulnerabilities together to achieve a full compromise from an unauthenticated state.
### Affected Models and Patches
The vulnerabilities impact **SMA1000** models 6210, 7210, and 8200v running specific platform-hotfix releases: 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800.
Patches are available in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, and later releases. **SonicWall** clarifies that **SSL-VPN** running on **SonicWall** firewalls and the **SMA 100 Series** product line are not affected.
### Indicators of Compromise (IOCs)
Administrators should immediately check for the following **Indicators of Compromise (IOCs)** to determine if an appliance has been compromised:
* Requests to `/__api__/login` or `/__api__/logout` with HTTP 200 status in `extraweb_access.log`.
* Requests to `/wsproxy` with suspicious host parameters and 101 HTTP status in `extraweb_access.log`.
* Hotfix rollbacks with path traversal names mentioned in `ctrl-service.log`.
* The presence of routes for `/__api__/login` or `/__api__/logout` in `/var/lib/unit/conf.json` (these URIs are not part of legitimate configurations).
If compromise is detected, **SonicWall** advises re-imaging physical appliances or redeploying virtual appliances, changing all user and administrator passwords, and resetting **TOTP** tokens. There are no known workarounds or mitigations other than applying the hotfixes.
### CISA Adds to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has added both **CVE-2026-15409** and **CVE-2026-15410** to its **Known Exploited Vulnerabilities (KEV)** catalog. This addition confirms that the vulnerabilities are under active attack and mandates that federal agencies secure affected systems by July 17, 2026, under **Binding Operational Directive (BOD) 26-04**, or discontinue product use if mitigation is impossible.