SonicWall Warns of Actively Exploited SMA 1000 Zero-Days as CISA Adds Flaws to KEV Catalog

The CyberSec Guru

CISA Warns of Exploited SonicWall

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Why your support matters: Zero paywalls: Keep the main content 100% free for learners worldwide.

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

SonicWall has disclosed two zero-day vulnerabilities that are already being exploited in the wild, including one flaw that can ultimately allow attackers to execute operating system commands with administrative privileges. The company has released emergency hotfixes and is urging customers to investigate affected appliances for signs of compromise rather than simply installing the updates.

The vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, affect the SMA 1000 series, SonicWall’s SSL VPN platform widely used by enterprises, government agencies, managed service providers, and large organizations to provide secure remote access.

Adding further urgency, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming that there is credible evidence of active exploitation.

SonicWall Logo
SonicWall Logo

Two vulnerabilities, one attack chain

The more severe of the two issues is CVE-2026-15409, a critical Server-Side Request Forgery (SSRF) vulnerability with a CVSS score of 10.0.

According to SonicWall, the flaw allows an unauthenticated remote attacker to make the appliance send requests to unintended destinations. On its own, SSRF vulnerabilities are often used to reach internal services that would normally be inaccessible from the internet.

The second vulnerability, CVE-2026-15410, carries a CVSS score of 7.2 and affects the Appliance Management Console (AMC). It requires authentication but can allow an attacker to execute arbitrary operating system commands with administrator privileges under certain conditions.

Security researchers say the two vulnerabilities have been observed being used together. An attacker first abuses the SSRF vulnerability to gain an initial foothold before leveraging the code injection flaw to execute commands on the appliance.

That combination significantly increases the impact compared to either vulnerability in isolation.

SonicWall confirms active exploitation

Unlike many security advisories that warn about potential attacks, SonicWall says it has investigated multiple customer incidents involving exploitation of these vulnerabilities.

The company has not released technical details describing how the attacks work, likely to avoid helping additional threat actors before organizations have had an opportunity to patch their systems.

SonicWall credited Adam Babis from its Product Security Incident Response Team (PSIRT) with discovering and reporting both vulnerabilities. The company also acknowledged assistance from Sean Koessel and Steven Adair of Volexity, whose work helped identify an additional indicator of compromise during the investigation.

Patching is only the first step

One of the more notable aspects of SonicWall’s advisory is its emphasis that installing the hotfix alone may not be enough.

Organizations are encouraged to examine appliances for evidence that attackers gained access before updates were applied.

Among the indicators administrators should investigate are:

  • Requests to /__api__/login or /__api__/logout returning HTTP 200 responses in extraweb_access.log
  • Requests to /wsproxy containing suspicious host parameters with HTTP 101 responses
  • Hotfix rollback entries containing path traversal filenames in ctrl-service.log
  • Unexpected /__api__/login or /__api__/logout routes appearing in /var/lib/unit/conf.json

According to SonicWall, those API routes should not exist in a legitimate appliance configuration.

If any of these indicators are present, the company’s guidance goes well beyond patching. Administrators should re-image physical appliances or redeploy virtual instances, rotate administrator and user passwords, and reset time-based one-time password (TOTP) tokens.

Those recommendations suggest SonicWall considers post-compromise recovery to be just as important as vulnerability remediation.

Affected products and fixed versions

The vulnerabilities affect the following SMA 1000 appliances:

  • SMA 6210
  • SMA 7210
  • SMA 8200v

Affected firmware includes multiple releases across the 12.4.3 and 12.5.0 branches.

SonicWall has released fixes in:

  • 12.4.3-03453 (platform-hotfix) and later
  • 12.5.0-02835 (platform-hotfix) and later

Customers that have not yet updated should treat the upgrade as a high priority, particularly if their appliances are internet-facing.

CISA places the vulnerabilities on the KEV list

Shortly after SonicWall published its advisory, CISA added both vulnerabilities to its Known Exploited Vulnerabilities Catalog.

The agency also included two Microsoft vulnerabilities in the same update:

  • CVE-2026-56155 affecting Active Directory Federation Services
  • CVE-2026-56164 affecting Microsoft SharePoint Server

Under Binding Operational Directive 26-04, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities within specified deadlines. For these SonicWall vulnerabilities, federal agencies must apply the required fixes by July 17, 2026.

Although the directive applies specifically to federal agencies, CISA continues to recommend that private organizations prioritize KEV-listed vulnerabilities because they have already been exploited by threat actors.

A familiar target

SonicWall appliances continue to attract significant attention from attackers.

Over the past several years, threat groups have repeatedly targeted VPN gateways, edge appliances, and remote access infrastructure because successful compromises often provide direct access to internal enterprise networks.

Unlike traditional endpoints, these systems frequently sit on the edge of corporate environments and are exposed directly to the internet, making them attractive targets for both espionage groups and financially motivated attackers.

Recent campaigns involving VPN appliances from multiple vendors have shown that attackers often move quickly once new vulnerabilities become public, particularly when authentication bypass or remote code execution is involved.

What administrators should do

Organizations using SonicWall SMA 1000 appliances should assume these vulnerabilities require immediate attention.

Recommended actions include:

  • Install the latest platform hotfix without delay.
  • Review appliance logs for the published indicators of compromise.
  • Determine whether exploitation occurred before patching.
  • Re-image or redeploy affected appliances if compromise is suspected.
  • Rotate administrator credentials and user passwords.
  • Reset TOTP tokens where appropriate.
  • Continue monitoring appliances for unusual administrative activity following remediation.

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Your contribution powers free tutorials, hands-on labs, and security resources.

Why your support matters:
  • Writeup Access: Get complete writeup access within 12 hours
  • Zero paywalls: Keep the main content 100% free for learners worldwide

Perks for one-time supporters:
☕️ $5: Shoutout in Buy Me a Coffee
🛡️ $8: Fast-track Access to Live Webinars
💻 $10: Vote on future tutorial topics + exclusive AMA access

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

If you like this post, then please share it:

News

Discover more from The CyberSec Guru

Subscribe to get the latest posts sent to your email!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from The CyberSec Guru

Subscribe now to keep reading and get access to the full archive.

Continue reading