Select your language

WHAT ARE YOU LOOKING FOR?

Popular Tags

Raleigh, NC

32°F
Few Clouds Humidity: 47%
Wind: 1.34 M/S

Hackers Leverage Two SonicWall SMA 1000 Zero-Days, One Capable of Executing Administrative Commands

Hackers Leverage Two SonicWall SMA 1000 Zero-Days, One Capable of Executing Administrative Commands

SonicWall has alerted customers to the active exploitation of two critical zero-day vulnerabilities affecting its Secure Mobile Access (SMA) 1000 series appliances. One of the flaws is particularly severe, as it can potentially allow attackers to execute arbitrary operating system commands with administrative privileges, posing a significant threat to enterprise environments.

The vulnerabilities identified are:

CVE-2026-15409 (CVSS 10.0)
A critical Server-Side Request Forgery (SSRF) vulnerability that enables a remote, unauthenticated attacker to manipulate the appliance into sending requests to unintended destinations. Successful exploitation could allow attackers to interact with internal resources and bypass security controls.

CVE-2026-15410 (CVSS 7.2)
A post-authentication code injection vulnerability within the Appliance Management Console (AMC). Under specific conditions, an authenticated attacker can exploit the flaw to execute arbitrary operating system commands with administrator-level privileges, potentially leading to full system compromise.

SonicWall confirmed that it has investigated multiple incidents indicating real-world exploitation of both vulnerabilities and strongly recommends that organizations apply security updates immediately to mitigate risk.

Available Security Fixes

Affected customers should upgrade to one of the following patched releases:

  • Version 12.4.3-03453 (platform-hotfix) or later
  • Version 12.5.0-02835 (platform-hotfix) or later

Recommended Compromise Assessment

In addition to patching, SonicWall advises customers to conduct a comprehensive forensic review of affected appliances to determine whether exploitation has already occurred. Security teams should look for several indicators of compromise (IoCs), including:

  • Requests to /__api__/login or /__api__/logout returning HTTP 200 responses within extraweb_access.log
  • Suspicious /wsproxy requests containing unusual host parameters and HTTP 101 status codes
  • Evidence of hotfix rollback activities involving path traversal names recorded in ctrl-service.log
  • Unauthorized routes for /__api__/login or /__api__/logout appearing in /var/lib/unit/conf.json, as these entries are not part of legitimate configurations

If any of these indicators are discovered, organizations should take immediate remediation steps, including:

  • Re-imaging physical SMA appliances
  • Redeploying virtual SMA instances
  • Resetting all user and administrator passwords
  • Reissuing or resetting time-based one-time password (TOTP) tokens

Discovery and Investigation

The vulnerabilities were discovered and responsibly disclosed by Adam Babis of SonicWall's Product Security Incident Response Team (PSIRT). SonicWall also credited security researchers Sean Koessel and Steven Adair of Volexity for assisting with the investigation and helping identify additional indicators of compromise.

CISA Adds Flaws to Known Exploited Vulnerabilities Catalog

The seriousness of the vulnerabilities has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities (KEV) Catalog. As a result, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the vulnerabilities by July 17, 2026, underscoring the urgent need for organizations to secure potentially affected systems.

With active exploitation already confirmed, security professionals are advised to prioritize patching, conduct compromise assessments, and closely monitor SMA 1000 environments for signs of malicious activity.

Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post. 

Cybersecurity Insight delivers timely updates on global cybersecurity developments, including recent system breaches, cyber-attacks, advancements in artificial intelligence (AI), and emerging technology innovations. Our goal is to keep viewers well-informed about the latest trends in technology and system security, and how these changes impact our lives and the broader ecosystem

Please fill the required field.