SonicWall SMA 1000 Zero-Days Are Being Exploited Right Now

by Rebecca Sutton

Two SonicWall SMA zero-day flaws are being used in live attacks right now. The target is businesses that rely on the appliances for staff remote access. SonicWall has confirmed active exploitation. CISA has given federal agencies until 17 July 2026 to patch or pull the devices offline. For any organisation running an SMA 1000 series appliance, this is a same-week job, not a next-sprint one.

What the SonicWall SMA zero-day flaws actually do

The worse of the pair is CVE-2026-15409. It sits in the SMA 1000 Workplace interface. It is a server-side request forgery bug with a maximum CVSS score of 10.0, and it needs no login at all. An attacker on the open internet can use it to make the appliance send requests to places it was never meant to reach.

The second flaw, CVE-2026-15410, needs an authenticated session first. It is a code injection bug in the Appliance Management Console. Once triggered, it lets an administrator-level attacker run operating system commands on the box. Chained together, the two flaws give a remote attacker a path from zero access to full control of the appliance.

SonicWall’s advisory names three affected models: the SMA 6210, 7210 and 8200v. Firewalls running SonicWall’s SSL-VPN are not affected. Nor is the older SMA 100 series. So check which product line you actually own before assuming you are exposed.

Confirmed exploitation, not just a theoretical risk

SonicWall’s Product Security Incident Response Team investigated multiple incidents. It worked with Volexity researchers Sean Koessel and Steven Adair. Together they found both vulnerabilities being actively exploited before the fixes were ready. That is why this landed as an emergency advisory rather than a routine patch note.

Rapid7’s managed detection team separately spotted targeted exploitation in its own customer logs. That was on 9 July, days before SonicWall’s public advisory landed on 14 July. Its incident responders describe attackers using the SSRF flaw to get in, then pulling credentials, session data and TOTP multi-factor seeds off the appliance. That let them keep access even after a password reset. Some attackers then pivoted into the internal network using the appliance’s own service account. It is a technique that would let them blend into normal VPN traffic until someone went looking.

CISA added both CVEs to its Known Exploited Vulnerabilities catalog on 14 July. Under Binding Operational Directive 26-04, federal civilian agencies must remediate by 17 July or take the appliance offline. That deadline is a floor for a private business, not a ceiling. An internet-facing box with a maximum-severity, unauthenticated flaw deserves the same urgency whoever owns it.

What to do this week

Closing the SonicWall SMA zero-day hole starts with the hotfix. SonicWall has shipped fixes in platform-hotfix builds 12.4.3-03453 and 12.5.0-02835, and any later release. If your SMA 1000 is running an older build than that, patching is the immediate priority. There is no workaround that closes the SSRF hole. A hotfix is the only real fix.

Patching alone will not undo a compromise that already happened. SonicWall’s guidance is blunt: if you find any sign of the indicators of compromise it published, treat the box as burned. Re-image the hardware, or redeploy the virtual appliance from a clean image. Change every user and administrator password tied to it. Reset TOTP tokens rather than trusting they are still yours alone.

It is worth checking authentication logs too, not just the appliance itself. Rapid7’s write-up flagged VPN-less Active Directory logins coming from the appliance’s internal address. These used non-standard workstation names, exactly the kind of anomaly a busy IT team can miss without knowing to look for it.

Why the SSRF flaw matters more than the score alone suggests

A CVSS score of 10.0 gets attention. But the real story is what an unauthenticated SSRF flaw lets an attacker reach. SonicWall’s Workplace interface is designed to be internet-facing, so anyone can send it a request without ever proving who they are. Once that request can be redirected to internal services the appliance trusts, an attacker gains a route past the authentication boundary the whole product exists to enforce.

That is also why the two flaws are dangerous together. On its own, CVE-2026-15410 only matters to someone who already has a valid login. Chained after the SSRF bug, it turns an anonymous internet connection into administrator-level command execution. Nothing sits in between to stop it.

The bigger pattern

This SonicWall SMA zero-day story is not an isolated one. SMA 1000 is not the first perimeter appliance to end up on the KEV list this year, and it will not be the last. Earlier this year it was pre-authentication bypass flaws in BeyondTrust’s remote access products. Before that it was unpatched VPN appliances handing ransomware crews their way in. Remote access gateways sit at the edge of the network by design. A flaw in one hands an attacker the exact foothold a firewall exists to prevent. Businesses that treat these devices as “set and forget” infrastructure, rather than as internet-facing assets needing the same scrutiny as a public web server, are the ones still cleaning up months later.

The lesson from this SonicWall SMA zero-day episode applies even if you don’t own the product. Anyone not currently running an SMA 1000 should not feel relieved. Check every internet-facing appliance on your perimeter against its vendor’s advisory page this week, not just this one. An external test of your perimeter will catch a misconfigured or outdated gateway before an attacker does. Attackers are actively scanning for exposed management interfaces on exactly this class of device. The next disclosure rarely gives much more warning than this one did.

Subscribe to our newsletter

Honest updates, straight to your inbox. Unsubscribe any time.

You may also like