UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

SonicWall SMA1000 Zero-Day CVE-2026-15409: Patch Now

London · Servnet News Desk · IT infrastructure analysis4 min read
Share

SonicWall has confirmed active zero-day exploitation of two SMA1000 remote-access flaws, CVE-2026-15409 and CVE-2026-15410, prompting an emergency hotfix. For UK organisations relying on SMA1000 gateways, this is a same-day patching decision, not a maintenance-window one.

CVSS severity of the two SMA1000 zero-days
10853010SSRF (CVE-2026-15409)7.2Code injection (CVE-2026-1…CVSS score
View the data behind this chart
CVSS severity of the two SMA1000 zero-days
SSRF (CVE-2026-15409)Code injection (CVE-2026-1…
CVSS score107.2

What SonicWall disclosed

SonicWall's advisory, reported by BleepingComputer on 14 July 2026, confirms two vulnerabilities in its SMA1000 secure remote access appliances are being actively exploited in the wild. CVE-2026-15409 is a critical server-side request forgery (SSRF) flaw in the Appliance Work Place interface, rated CVSS 10.0, that lets a remote, unauthenticated attacker force the appliance into making requests it was never meant to make. CVE-2026-15410 is a high-severity post-authentication code injection flaw in the Appliance Management Console, rated CVSS 7.2, which allows a logged-in administrator account to execute arbitrary operating system commands.

SonicWall has assigned the overall advisory a CVSS score of 10.0 despite the second flaw requiring admin credentials, reflecting the danger of the combined attack surface. The company says it has "investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory" and has not disclosed whether attackers are chaining the two together, though the possibility should be assumed by defenders until proven otherwise.

Which devices are exposed

The flaws affect SMA1000 hardware and virtual appliance models 6210, 7210, and 8200v running platform-hotfix releases 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, or 12.5.0-02800. Fixes are shipped in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, and any later release. Crucially, SonicWall states these vulnerabilities do not affect SSL-VPN running on its firewall products or the separate SMA 100 Series line, so buyers running those platforms are not exposed to this particular advisory — though it's worth reviewing overall vulnerability management strategies for both product families regardless.

  • Affected: SMA1000 models 6210, 7210, 8200v on six listed hotfix versions
  • Fixed: platform-hotfix 12.4.3-03453 and 12.5.0-02835, or later
  • Unaffected: SonicWall firewall SSL-VPN and SMA 100 Series

Why there's no fallback option

SonicWall has been explicit that there are no workarounds or mitigating configurations for these flaws — the only remediation is installing the hotfix. That removes the usual buffer UK IT teams rely on when a patch can't be scheduled immediately, such as disabling a feature or restricting access via firewall rules. Any organisation that cannot patch SMA1000 appliances within days, rather than weeks, needs to treat the appliance as compromised until proven otherwise and plan around that assumption when reviewing network security solutions for the perimeter.

Illustration: SonicWall SMA1000 Zero-Day CVE-2026-15409: Patch Now

Checking for compromise, not just patching

SonicWall has published indicators of compromise that go beyond simply confirming a patched version number. Administrators should check extraweb_access.log for requests to /__api__/login or /__api__/logout returning HTTP 200, and for requests to /wsproxy with suspicious host parameters returning HTTP 101. The ctrl-service.log should be reviewed for hotfix rollback entries containing path traversal filenames, and /var/lib/unit/conf.json should be examined for routes referencing /__api__/login or /__api__/logout, since SonicWall confirms these routes do not exist in a legitimate configuration.

Where any of these indicators appear, SonicWall's guidance is unambiguous: re-image physical appliances or redeploy virtual appliances from a known-good state, rotate all user and administrator passwords, and reset TOTP tokens. That is a significant operational lift for organisations with SMA1000 gateways sitting at the heart of remote access, which is exactly why UK teams should be running this IOC check today rather than waiting for a scheduled audit — a task that fits naturally into managed detection & response workflows if in-house log review capacity is limited.

The wider UK remote-access decision

CISA has added both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities catalogue, and US federal agencies have been given until 17 July 2026 to remediate under Binding Operational Directive 26-04, or stop using the product entirely if mitigation isn't possible. UK organisations aren't bound by that directive, but the same urgency applies commercially: an unauthenticated CVSS 10.0 SSRF on a remote-access gateway sitting on the public internet is a live target the moment it's disclosed, and threat actors typically move faster on these appliances than defenders expect.

This incident also reopens a longer-running conversation for UK buyers about architecture, not just patching cadence. Legacy SMA-style remote access appliances present a single, internet-facing point of failure; many organisations are now comparing that model against VPN vs ZTNA for business approaches that reduce the blast radius of any single gateway compromise. For teams weighing perimeter replacement rather than a like-for-like renewal, it's also worth reviewing current options among the best firewalls in the UK alongside platforms from Fortinet security products and Palo Alto Networks solutions.

Recommended UK response timeline after disclosure
W0W1W2W3W4Patch to hotfix…1wRun IOC checks on logs…1wRe-image and reset creds…1wReview zero trust / ZTNA…1wTotal: 4 weeks end-to-end
View the data behind this chart
Recommended UK response timeline after disclosure
PhaseStarts (week)Duration (weeks)
Patch to hotfix 12.4.3-03453…01
Run IOC checks on logs and…11
Re-image and reset creds if…21
Review zero trust / ZTNA…31

What UK security and IT leaders should do this week

The immediate action is straightforward: identify every SMA1000 appliance in the estate, confirm its hotfix version against the affected list, and upgrade to 12.4.3-03453, 12.5.0-02835, or later without waiting for a change window. Run the published IOC checks against logs and configuration files before assuming a device is clean, and treat any hit as a confirmed compromise requiring re-imaging and full credential rotation. Beyond the immediate fix, this is a useful trigger to stress-test wider zero trust posture and, where a compromise is confirmed, to loop in ransomware protection planning given how often initial access via remote-access appliances precedes a wider extortion attempt.

Share
Key takeaways
  • CVE-2026-15409 (CVSS 10.0, unauthenticated SSRF) and CVE-2026-15410 (CVSS 7.2, post-auth code injection) are being actively exploited on SonicWall SMA1000 appliances
  • Only SMA1000 models 6210, 7210 and 8200v on specific hotfix versions are affected; firewall SSL-VPN and SMA 100 Series are not impacted
  • There is no workaround — the hotfix (12.4.3-03453, 12.5.0-02835 or later) is the only remediation, so patching cannot be deferred
  • Run SonicWall's published IOC checks before assuming a device is clean; any hit means re-imaging, password rotation and TOTP resets
Frequently asked

FAQs — SonicWall SMA1000 Zero-Day CVE-2026-15409

What are CVE-2026-15409 and CVE-2026-15410?

CVE-2026-15409 is a critical (CVSS 10.0) unauthenticated SSRF vulnerability in the SMA1000 Appliance Work Place interface. CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication code injection flaw in the Appliance Management Console. Both are confirmed as actively exploited in zero-day attacks.

Which SonicWall products are affected?

SMA1000 hardware and virtual appliance models 6210, 7210 and 8200v running specific platform-hotfix releases. SonicWall firewall SSL-VPN and the SMA 100 Series are not affected by this advisory.

Is there a workaround if we can't patch immediately?

No. SonicWall states there are no workarounds or mitigations other than installing the hotfix release, which makes emergency patching the only viable response — a point worth building into broader vulnerability management strategies.

How do we check if our appliance was already compromised?

Review extraweb_access.log for suspicious /__api__/login, /__api__/logout or /wsproxy requests, check ctrl-service.log for hotfix rollback entries with path traversal names, and inspect /var/lib/unit/conf.json for illegitimate API routes. If any indicator is present, SonicWall recommends re-imaging the appliance and resetting all passwords and TOTP tokens.

Related

Turning this into a buying decision?

One conversation with an engineer who's specced this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111