SonicWall Warns of Active Exploitation of Two Zero-Day Vulnerabilities in SMA 1000 Series
SonicWall has issued an urgent warning regarding the active exploitation of two zero-day vulnerabilities affecting its Secure Mobile Access (SMA) 1000 series appliances. The vulnerabilities, both critical in nature, could allow attackers to execute arbitrary commands or manipulate the appliance's behavior.
Vulnerabilities Identified
-
CVE-2026-15409 (CVSS score: 10.0)
- A server-side request forgery (SSRF) vulnerability that allows a remote, unauthenticated attacker to force the appliance to make requests to an unintended location.
-
CVE-2026-15410 (CVSS score: 7.2)
- A post-authentication code injection vulnerability in the Appliance Management Console (AMC) that enables a remote, authenticated attacker to execute arbitrary operating system commands as an administrator under certain conditions.
Active Exploitation Confirmed
SonicWall confirmed that both vulnerabilities are being actively exploited in the wild. The company has urged customers to apply the available patches immediately to mitigate the risk of compromise. The patches are available in the following versions:
- 12.4.3-03453 (platform-hotfix) and higher
- 12.5.0-02835 (platform-hotfix) and higher
Indicators of Compromise (IoCs)
SonicWall has provided guidance for customers to perform forensic analysis to detect potential exploitation:
- Check
extraweb_access.logfor suspicious requests to/__api__/login,/__api__/logout, or/wsproxywith unusual parameters. - Look for hotfix rollbacks with path traversal names in
ctrl-service.log. - Inspect
/var/lib/unit/conf.jsonfor routes related to/__api__/loginor/__api__/logout, which are not part of legitimate configurations.
If any of these indicators are found, SonicWall advises re-imaging physical appliances, redeploying virtual appliances, changing passwords, and resetting time-based one-time password tokens.
Credits and CISA Response
The vulnerabilities were discovered by Adam Babis of SonicWall's Product Security Incident Response Team (PSIRT). Additional contributions were made by Volexity's Sean Koessel and Steven Adair, who helped advance the investigation and identify further indicators of compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by July 17, 2026.
Conclusion
Organizations using SonicWall SMA 1000 series appliances are strongly advised to apply the patches immediately and conduct thorough forensic reviews to ensure their systems have not been compromised.