SonicWall Zero-Days Under Active Exploitation: Critical Patches Issued for SMA 1000 Series
SonicWall has issued an urgent warning regarding two zero-day vulnerabilities in its Secure Mobile Access (SMA) 1000 series appliances, both of which are currently being actively exploited in the wild. One of these critical flaws could lead to arbitrary command execution, posing a significant risk to affected organizations. IT security professionals and privacy-conscious users are strongly advised to apply the provided hotfixes immediately.
Network security vendor **SonicWall** has alerted customers to active exploitation of two critical zero-day vulnerabilities impacting its **Secure Mobile Access (SMA) 1000 series** appliances. The most severe of these flaws could enable remote attackers to achieve arbitrary command execution.
### Critical Vulnerabilities Detailed
The two vulnerabilities, now patched, are:
* **CVE-2026-15409** (CVSS score: 10.0): A Server-side Request Forgery (SSRF) vulnerability that an unauthenticated remote attacker could exploit to force the appliance to make requests to unintended locations.
* **CVE-2026-15410** (CVSS score: 7.2): A post-authentication code injection vulnerability within the Appliance Management Console (AMC). A remote authenticated attacker could exploit this to execute arbitrary operating system commands as an administrator under specific conditions.
**SonicWall** confirmed it has "investigated multiple cases indicating the active exploitation of the vulnerabilities," underscoring the urgency for customers to apply the available fixes.
### Immediate Action Required
Patches are available in the following versions:
* 12.4.3-03453 (platform-hotfix) and higher versions
* 12.5.0-02835 (platform-hotfix) and higher versions
Users are also strongly urged to conduct a thorough forensic analysis of their systems for **Indicators of Compromise (IoCs)** related to the exploitation. Key IoCs include:
* Requests to `/__api__/login` or `/__api__/logout` with HTTP 200 status in `extraweb_access.log`.
* Requests to `/wsproxy` with suspicious host parameters and HTTP 101 status in `extraweb_access.log`.
* Mentions of hotfix rollbacks with path traversal names in `ctrl-service.log`.
* The presence of routes for `/__api__/login` or `/__api__/logout` in `/var/lib/unit/conf.json` (these URIs are not part of legitimate configurations).
Should any of these indicators be present, **SonicWall** recommends re-imaging physical appliances or redeploying virtual appliances, changing all user and administrator passwords, and resetting time-based one-time password tokens.
### Acknowledgments and CISA Alert
**Adam Babis** of **SonicWall's Product Security Incident Response Team (PSIRT)** has been credited with discovering and reporting these flaws. **SonicWall** also acknowledged the contributions of **Sean Koessel** and **Steven Adair** from **Volexity** for their assistance in the internal investigation and identifying an additional IoC.
In response to the active exploitation, the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has added both flaws to its **Known Exploited Vulnerabilities (KEV)** catalog. This mandates that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by July 17, 2026.