- Total: 2 CVEs
- Severity: 1 Critical · 1 High
- Actively exploited: 2 (zero-day / KEV)
- Highest severity: 10.0 (Critical · CVSSv3) — CVE-2026-15409
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-15409 | 10.0 | CWE-918 | Exploited |
| CVE-2026-15410 | 7.2 | CWE-94 | Exploited |
TL;DR
SonicWall has released hotfixes for two actively exploited flaws in SMA1000 secure access appliances. The SonicWall SMA1000 SSRF vulnerability, tracked as CVE-2026-15409, carries a maximum CVSS score of 10.0 and requires no authentication. SonicWall PSIRT has investigated multiple cases indicating active exploitation of both flaws in the wild.
Why It Matters
SMA1000 appliances act as remote access gateways at the network edge. Consequently, they face the internet by design and make prime targets. An unauthenticated, maximum-severity flaw on such a device leaves little room for delay. Moreover, no workaround exists for this advisory, so patching is the only complete fix. Attackers are already active, which turns this update into an emergency task.
How the Attack Works
CVE-2026-15409: Unauthenticated SSRF (CVSS 10.0)
The flaw sits in the SMA1000 Work Place interface and maps to CWE-918. A remote attacker can force the appliance to send requests to unintended locations without credentials. The CVSS vector shows a scope change with high impact on confidentiality, integrity, and availability.
CVE-2026-15410: Post-Auth Code Injection (CVSS 7.2)
This code injection flaw (CWE-94) affects the Appliance Management Console. Under specific conditions, a remote attacker with administrator access can execute arbitrary OS commands.
Affected Versions
The flaws affect SMA1000 models 6210, 7210, and 8200v. Vulnerable builds include 12.4.3-03245, 12.4.3-03387, and 12.4.3-03434, plus 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. SSL-VPN on SonicWall firewalls and the SMA 100 Series are not affected.
Patch and Mitigation Steps
Upgrade to platform-hotfix 12.4.3-03453 or 12.5.0-02835 and higher, available on mysonicwall.com. Afterward, hunt for indicators of compromise listed in the SonicWall PSIRT advisory SNWLID-2026-0008. Warning signs include rogue /__api__/login routes in unit configuration and suspicious /wsproxy requests in access logs. If any indicators appear, re-image hardware or re-deploy virtual appliances. Then change all user and administrator passwords and reset TOTP tokens.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.