SonicWall has confirmed active zero-day exploitation of two SMA1000 remote-access flaws, CVE-2026-15409 and CVE-2026-15410, prompting an emergency hotfix. For UK organisations relying on SMA1000 gateways, this is a same-day patching decision, not a maintenance-window one.
View the data behind this chart
| SSRF (CVE-2026-15409) | Code injection (CVE-2026-1… | |
|---|---|---|
| CVSS score | 10 | 7.2 |
What SonicWall disclosed
SonicWall's advisory, reported by BleepingComputer on 14 July 2026, confirms two vulnerabilities in its SMA1000 secure remote access appliances are being actively exploited in the wild. CVE-2026-15409 is a critical server-side request forgery (SSRF) flaw in the Appliance Work Place interface, rated CVSS 10.0, that lets a remote, unauthenticated attacker force the appliance into making requests it was never meant to make. CVE-2026-15410 is a high-severity post-authentication code injection flaw in the Appliance Management Console, rated CVSS 7.2, which allows a logged-in administrator account to execute arbitrary operating system commands.
SonicWall has assigned the overall advisory a CVSS score of 10.0 despite the second flaw requiring admin credentials, reflecting the danger of the combined attack surface. The company says it has "investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory" and has not disclosed whether attackers are chaining the two together, though the possibility should be assumed by defenders until proven otherwise.
Which devices are exposed
The flaws affect SMA1000 hardware and virtual appliance models 6210, 7210, and 8200v running platform-hotfix releases 12.4.3-03245, 12.4.3-03387, 12.4.3-03434, 12.5.0-02283, 12.5.0-02624, or 12.5.0-02800. Fixes are shipped in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835, and any later release. Crucially, SonicWall states these vulnerabilities do not affect SSL-VPN running on its firewall products or the separate SMA 100 Series line, so buyers running those platforms are not exposed to this particular advisory — though it's worth reviewing overall vulnerability management strategies for both product families regardless.
- •Affected: SMA1000 models 6210, 7210, 8200v on six listed hotfix versions
- •Fixed: platform-hotfix 12.4.3-03453 and 12.5.0-02835, or later
- •Unaffected: SonicWall firewall SSL-VPN and SMA 100 Series
Why there's no fallback option
SonicWall has been explicit that there are no workarounds or mitigating configurations for these flaws — the only remediation is installing the hotfix. That removes the usual buffer UK IT teams rely on when a patch can't be scheduled immediately, such as disabling a feature or restricting access via firewall rules. Any organisation that cannot patch SMA1000 appliances within days, rather than weeks, needs to treat the appliance as compromised until proven otherwise and plan around that assumption when reviewing network security solutions for the perimeter.

Checking for compromise, not just patching
SonicWall has published indicators of compromise that go beyond simply confirming a patched version number. Administrators should check extraweb_access.log for requests to /__api__/login or /__api__/logout returning HTTP 200, and for requests to /wsproxy with suspicious host parameters returning HTTP 101. The ctrl-service.log should be reviewed for hotfix rollback entries containing path traversal filenames, and /var/lib/unit/conf.json should be examined for routes referencing /__api__/login or /__api__/logout, since SonicWall confirms these routes do not exist in a legitimate configuration.
Where any of these indicators appear, SonicWall's guidance is unambiguous: re-image physical appliances or redeploy virtual appliances from a known-good state, rotate all user and administrator passwords, and reset TOTP tokens. That is a significant operational lift for organisations with SMA1000 gateways sitting at the heart of remote access, which is exactly why UK teams should be running this IOC check today rather than waiting for a scheduled audit — a task that fits naturally into managed detection & response workflows if in-house log review capacity is limited.
The wider UK remote-access decision
CISA has added both CVE-2026-15409 and CVE-2026-15410 to its Known Exploited Vulnerabilities catalogue, and US federal agencies have been given until 17 July 2026 to remediate under Binding Operational Directive 26-04, or stop using the product entirely if mitigation isn't possible. UK organisations aren't bound by that directive, but the same urgency applies commercially: an unauthenticated CVSS 10.0 SSRF on a remote-access gateway sitting on the public internet is a live target the moment it's disclosed, and threat actors typically move faster on these appliances than defenders expect.
This incident also reopens a longer-running conversation for UK buyers about architecture, not just patching cadence. Legacy SMA-style remote access appliances present a single, internet-facing point of failure; many organisations are now comparing that model against VPN vs ZTNA for business approaches that reduce the blast radius of any single gateway compromise. For teams weighing perimeter replacement rather than a like-for-like renewal, it's also worth reviewing current options among the best firewalls in the UK alongside platforms from Fortinet security products and Palo Alto Networks solutions.
View the data behind this chart
| Phase | Starts (week) | Duration (weeks) |
|---|---|---|
| Patch to hotfix 12.4.3-03453… | 0 | 1 |
| Run IOC checks on logs and… | 1 | 1 |
| Re-image and reset creds if… | 2 | 1 |
| Review zero trust / ZTNA… | 3 | 1 |
What UK security and IT leaders should do this week
The immediate action is straightforward: identify every SMA1000 appliance in the estate, confirm its hotfix version against the affected list, and upgrade to 12.4.3-03453, 12.5.0-02835, or later without waiting for a change window. Run the published IOC checks against logs and configuration files before assuming a device is clean, and treat any hit as a confirmed compromise requiring re-imaging and full credential rotation. Beyond the immediate fix, this is a useful trigger to stress-test wider zero trust posture and, where a compromise is confirmed, to loop in ransomware protection planning given how often initial access via remote-access appliances precedes a wider extortion attempt.
