CVE-2026-15409, CVE-2026-15410: SonicWall SMA 1000 zero-day vulnerabilities exploited in the wild

  • Home |
  • CVE-2026-15409, CVE-2026-15410: SonicWall SMA 1000 zero-day vulnerabilities exploited in the wild

This post was originally published on this site.

SonicWall patched two recently exploited zero-day vulnerabilities in its SMA 1000 Series secure remote access appliances which may have been chained for unauthenticated remote code execution.

Key takeaways

  1. CVE-2026-15409 and CVE-2026-15410 are a pair of exploited vulnerabilities that may have been chained together to allow for code execution on SonicWall SMA1000 series appliances.
     
  2. Zero-day exploitation of these vulnerabilities has been observed and confirmed by SonicWall.
     
  3. Patches and indicators of compromise are available and urgent patching is recommended.

Background

SonicWall’s Secure Mobile Access (SMA) 1000 Series appliances are enterprise-grade SSL VPN gateways which serve as the front door to organizational networks. The SMA series models sit at the edge of the network, internet-facing by design. Because SMA 1000 appliances aggregate remote access credentials and sit directly on the internet, they represent high-value targets for attackers. A compromise at the appliance level can yield administrator credentials, VPN session tokens, and detailed knowledge of the internal network architecture sitting behind the gateway.

On July 14, SonicWall disclosed two vulnerabilities that are being exploited together in the wild:

CVE Description CVSSv3
CVE-2026-15409 SonicWall SMA 1000 server-side request forgery (SSRF) vulnerability 10
CVE-2026-15410 SonicWall SMA 1000 remote code execution vulnerability (RCE) 7.2

While the advisory does not specify if they were exploited in tandem, together they form a fully remote, unauthenticated path to arbitrary OS command execution on affected appliances.

Analysis

CVE-2026-15409 is a SSRF vulnerability affecting the SMA 1000 Workplace interface. This flaw allows a remote, unauthenticated attacker to make network requests to locations of the attacker’s choosing. In practice, SSRF on an internet-facing appliance can serve as a pivot, allowing an attacker to probe internal services, relay authentication material, or reach the AMC in a way that bypasses normal access controls.

CVE-2026-15410 is a code injection vulnerability in the Appliance Management Console (AMC). The AMC is the administrative interface used to configure the appliance, manage users, set access policies, and monitor sessions. While this flaw does require the user to be authenticated, the potential chaining of these vulnerabilities makes the exploitation path possible without authentication.

These flaws have been exploited in the wild as zero-days. While SonicWall has not provided any details on attribution of which threat actors may be behind the attacks, several SonicWall vulnerabilities have been targeted in the past, including the exploitation of zero-days.

Historical exploitation of SonicWall vulnerabilities

SonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. Last year, a surge in ransomware activity was tied to the exploitation of SonicWall Gen 7 Firewalls, prompting warnings from multiple security vendors.

Given the historical exploitation of SonicWall devices, we put together the following list of known SMA vulnerabilities that have been exploited in the wild:

CVE Description Tenable Blog Links Year
CVE-2019-7481 SonicWall SMA100 SQL Injection Vulnerability 1 2019
CVE-2019-7483 SonicWall SMA100 Directory Traversal Vulnerability 2019
CVE-2021-20016 SonicWall SSLVPN SMA100 SQL Injection Vulnerability 1, 2, 3, 4, 5 2021
CVE-2021-20038 SonicWall SMA100 Stack-based Buffer Overflow Vulnerability 1, 2, 3 2021
CVE-2025-23006 SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability 1 2025
CVE-2024-40766 SonicWall SonicOS Improper Access Control Vulnerability 1 2025
CVE-2025-40602 SonicWall SMA 1000 Privilege Escalation Vulnerability 1 2025

Both CVE-2026-15409 and CVE-2026-15410 have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog with a remediation date of Friday, July 17, despite only being added on July 14. Given the urgency surrounding these vulnerabilities and the historical exploitation of these devices, immediate patching is recommended.

Proof of concept

At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2026-15409 or CVE-2026-15410. If and when a public PoC exploit becomes available for these vulnerabilities, we anticipate an increase in exploitation as attackers will attempt to leverage these flaws as part of their attacks.

Solution

SonicWall has released patches to address this vulnerability in SMA1000 models 6210, 7210 and 8200v as outlined in the table below:

Affected Version Fixed Version
12.4.3-03245 12.4.3-03453 and later versions
12.4.3-03387 12.4.3-03453 and later versions
12.4.3-03434 12.4.3-03453 and later versions
12.5.0-02283 12.5.0-02835 and later versions
12.5.0-02624 12.5.0-02835 and later versions
12.5.0-02800 12.5.0-02835 and later versions

While the advisory does not provide any workarounds, it does include indicators of compromise (IoCs) for threat hunters to determine if any exploitation has impacted their devices. We recommend reviewing the advisory for the most up to date IoCs.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-15409 and CVE-2026-15410 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SonicWall devices:

Get more information

Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Latest posts

Technology Trends
Travis Norris

Update Fatigue: How the relentless pace of software updates is breaking user trust — and what organizations can do about it

Somewhere between the fourteenth update notification of the week and the third forced restart during a critical deadline, something breaks. Not the software — the user. They click “Remind me later.” Then again. And again. Eventually, they stop updating altogether.

This is update fatigue — and it’s quietly becoming one of the most significant and underappreciated vulnerabilities in organizational cybersecurity today.

Read More ⇾
Kofi's Korner - Insights from DataComm's Technical Solutions Team
Kofi's Korner
Kofi Kankam

Kofi’s Korner April 2026

Rising technology costs, evolving cyber threats, and increasingly complex IT environments are forcing organizations to rethink how they plan, protect, and scale their infrastructure. In this edition of Kofi’s Korner, we explore what’s driving today’s unpredictable pricing landscape, how a layered security approach strengthens resilience, and why solutions like SecurShield IDS/IPS are critical in a firewall-first world. Discover practical insights and strategies to help your organization stay secure, compliant, and ahead of what’s next.

Read More ⇾

SecurNOC

Monitor your network devices and view their configuration changes.

SecurPortal

A live look at your events, security event charts and tickets.

Ticketing Portal

Login here to easily add and managed trouble tickets.

Remote Support

Let DataComm remotely access your computer to render aid.