SonicWall is warning customers that two vulnerabilities in its SMA1000 series appliances are being actively exploited in zero-day attacks, and is urging immediate patching. The disclosure follows the company’s investigation of multiple confirmed compromise incidents.

The more severe flaw, CVE-2026-15409, is a critical server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface, rated CVSS 10.0. It allows a remote, unauthenticated attacker to force the appliance into making requests to unintended destinations. The second flaw, CVE-2026-15410, is a high-severity post-authentication code injection vulnerability in the Appliance Management Console (CVSS 7.2) that lets an authenticated administrator execute arbitrary operating system commands. Despite requiring admin access, SonicWall assigned the overall advisory a CVSS score of 10.0.

SonicWall has not disclosed whether attackers are chaining the two vulnerabilities together, but says it has confirmed active exploitation of both. The affected models are SMA1000 6210, 7210, and 8200v, running platform-hotfix releases 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800. Fixes are available in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835 and later. SonicWall confirms SSL-VPN on its firewalls and the SMA 100 Series are not affected, and there are no workarounds other than applying the hotfix.

Indicators of Compromise

SonicWall published IOCs administrators can check for signs of compromise, including:

  • Requests to /__api__/login or /__api__/logout in extraweb_access.log returning HTTP 200
  • Requests to /wsproxy with suspicious host parameters returning HTTP 101
  • Hotfix rollback entries with path traversal names in ctrl-service.log
  • Unexpected routes for /__api__/login or /__api__/logout in /var/lib/unit/conf.json

If any IOCs are found, SonicWall recommends re-imaging physical appliances, redeploying virtual appliances, rotating all user and administrator passwords, and resetting TOTP tokens.

Federal Deadline

CISA has added both CVEs to its Known Exploited Vulnerabilities catalog alongside two Microsoft flaws (CVE-2026-56155 affecting AD FS and CVE-2026-56164 affecting SharePoint Server). Under Binding Operational Directive 26-04, federal civilian agencies must remediate the SonicWall vulnerabilities by July 17, 2026, or discontinue use of the affected product if mitigation isn’t possible. CISA encourages all organizations, not just federal agencies, to prioritize these fixes given confirmed in-the-wild exploitation.