News

SonicWall Warns of Active Exploitation of Two Zero-Day Vulnerabilities in SMA 1000 Series

SonicWall warns of active exploitation of two zero-day vulnerabilities in SMA 1000 series appliances, urging immediate patching.

SonicWall has identified two critical zero-day vulnerabilities in its SMA 1000 series devices, with active exploitation detected. Patches are available, and CISA has mandated immediate action for federal agencies.

SonicWall Warns of Active Exploitation of Two Zero-Day Vulnerabilities in SMA 1000 Series

SonicWall has issued an urgent warning regarding the active exploitation of two zero-day vulnerabilities affecting its Secure Mobile Access (SMA) 1000 series appliances. The vulnerabilities, both critical in nature, could allow attackers to execute arbitrary commands or manipulate the appliance's behavior.

Vulnerabilities Identified

  1. CVE-2026-15409 (CVSS score: 10.0)

    • A server-side request forgery (SSRF) vulnerability that allows a remote, unauthenticated attacker to force the appliance to make requests to an unintended location.
  2. CVE-2026-15410 (CVSS score: 7.2)

    • A post-authentication code injection vulnerability in the Appliance Management Console (AMC) that enables a remote, authenticated attacker to execute arbitrary operating system commands as an administrator under certain conditions.

Active Exploitation Confirmed

SonicWall confirmed that both vulnerabilities are being actively exploited in the wild. The company has urged customers to apply the available patches immediately to mitigate the risk of compromise. The patches are available in the following versions:

  • 12.4.3-03453 (platform-hotfix) and higher
  • 12.5.0-02835 (platform-hotfix) and higher

Indicators of Compromise (IoCs)

SonicWall has provided guidance for customers to perform forensic analysis to detect potential exploitation:

  • Check extraweb_access.log for suspicious requests to /__api__/login, /__api__/logout, or /wsproxy with unusual parameters.
  • Look for hotfix rollbacks with path traversal names in ctrl-service.log.
  • Inspect /var/lib/unit/conf.json for routes related to /__api__/login or /__api__/logout, which are not part of legitimate configurations.

If any of these indicators are found, SonicWall advises re-imaging physical appliances, redeploying virtual appliances, changing passwords, and resetting time-based one-time password tokens.

Credits and CISA Response

The vulnerabilities were discovered by Adam Babis of SonicWall's Product Security Incident Response Team (PSIRT). Additional contributions were made by Volexity's Sean Koessel and Steven Adair, who helped advance the investigation and identify further indicators of compromise.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by July 17, 2026.

Conclusion

Organizations using SonicWall SMA 1000 series appliances are strongly advised to apply the patches immediately and conduct thorough forensic reviews to ensure their systems have not been compromised.