TL;DR
SonicWall patched a critical SonicWall SMA1000 vulnerability, CVE-2026-15409, on July 14, 2026. Attackers are exploiting it in the wild to reach remote code execution. A public proof-of-concept now exists, so patching cannot wait.
Why this SonicWall SMA1000 vulnerability matters
SMA1000 appliances sit at the network edge and face the internet by design. CVE-2026-15409 carries a maximum CVSS score of 10.0 and needs no authentication. Therefore, a single crafted request can reach internal services.
Both SonicWall and Rapid7 confirmed active exploitation before the advisory went public. CISA also added the flaw to its Known Exploited Vulnerabilities catalog. As a result, exposed appliances now count as high-priority assets.
How the attack works
The bug lives in a websocket proxy feature at the /wsproxy path on the SonicWall WorkPlace portal. This feature opens a TCP tunnel to hosts and ports supplied in URL parameters. By pointing those values at localhost, an attacker reaches internal appliance services hidden behind the firewall.
From there, attackers pivot to a second flaw, CVE-2026-15410. This code injection issue runs operating system commands as root. Consequently, the chain turns one unauthenticated request into full appliance takeover. The Rapid7 MDR write-up documents the tunnel-to-root path.
Exploitation status
SonicWall and Rapid7 both confirm exploitation in the wild. Rapid7’s MDR team spotted the activity before disclosure. Moreover, a Python proof-of-concept for CVE-2026-15409 is now public, and a Metasploit module is in development. Rapid7 also observed attackers harvesting credentials, session data, and TOTP seeds after a foothold.
Affected versions
The flaw affects SonicWall SMA1000 models 6210, 7210, and 8200v. Vulnerable builds span the 12.4.3 and 12.5.0 branches.
- 12.4.3-03245, 12.4.3-03387, 12.4.3-03434
- 12.5.0-02283, 12.5.0-02624, 12.5.0-02800
Notably, SSL VPN on SonicWall firewalls and the SMA 100 Series stay unaffected.
Patch and mitigation steps
SonicWall offers no workaround, so patching is the only fix. Upgrade affected appliances at once.
- Update to 12.4.3-03453 (platform-hotfix) or later.
- Update to 12.5.0-02835 (platform-hotfix) or later.
Patching alone is not enough, however. Because attackers steal credentials and session data, teams must hunt for compromise. Review the SonicWall security advisory for indicators and remediation guidance.
If you find signs of intrusion, re-image the appliance, reset user and admin passwords, and rotate TOTP tokens. Federal agencies face a July 17, 2026 deadline under CISA’s directive. Private organizations should treat this SonicWall SMA1000 vulnerability with the same urgency.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.