SonicWall has alerted customers to the active exploitation of two critical zero-day vulnerabilities affecting its Secure Mobile Access (SMA) 1000 series appliances. One of the flaws is particularly severe, as it can potentially allow attackers to execute arbitrary operating system commands with administrative privileges, posing a significant threat to enterprise environments.
The vulnerabilities identified are:
CVE-2026-15409 (CVSS 10.0)
A critical Server-Side Request Forgery (SSRF) vulnerability that enables a remote, unauthenticated attacker to manipulate the appliance into sending requests to unintended destinations. Successful exploitation could allow attackers to interact with internal resources and bypass security controls.
CVE-2026-15410 (CVSS 7.2)
A post-authentication code injection vulnerability within the Appliance Management Console (AMC). Under specific conditions, an authenticated attacker can exploit the flaw to execute arbitrary operating system commands with administrator-level privileges, potentially leading to full system compromise.
SonicWall confirmed that it has investigated multiple incidents indicating real-world exploitation of both vulnerabilities and strongly recommends that organizations apply security updates immediately to mitigate risk.
Available Security Fixes
Affected customers should upgrade to one of the following patched releases:
- Version 12.4.3-03453 (platform-hotfix) or later
- Version 12.5.0-02835 (platform-hotfix) or later
Recommended Compromise Assessment
In addition to patching, SonicWall advises customers to conduct a comprehensive forensic review of affected appliances to determine whether exploitation has already occurred. Security teams should look for several indicators of compromise (IoCs), including:
- Requests to
/__api__/loginor/__api__/logoutreturning HTTP 200 responses within extraweb_access.log - Suspicious
/wsproxyrequests containing unusual host parameters and HTTP 101 status codes - Evidence of hotfix rollback activities involving path traversal names recorded in ctrl-service.log
- Unauthorized routes for
/__api__/loginor/__api__/logoutappearing in/var/lib/unit/conf.json, as these entries are not part of legitimate configurations
If any of these indicators are discovered, organizations should take immediate remediation steps, including:
- Re-imaging physical SMA appliances
- Redeploying virtual SMA instances
- Resetting all user and administrator passwords
- Reissuing or resetting time-based one-time password (TOTP) tokens
Discovery and Investigation
The vulnerabilities were discovered and responsibly disclosed by Adam Babis of SonicWall's Product Security Incident Response Team (PSIRT). SonicWall also credited security researchers Sean Koessel and Steven Adair of Volexity for assisting with the investigation and helping identify additional indicators of compromise.
CISA Adds Flaws to Known Exploited Vulnerabilities Catalog
The seriousness of the vulnerabilities has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities (KEV) Catalog. As a result, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the vulnerabilities by July 17, 2026, underscoring the urgent need for organizations to secure potentially affected systems.
With active exploitation already confirmed, security professionals are advised to prioritize patching, conduct compromise assessments, and closely monitor SMA 1000 environments for signs of malicious activity.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
