SonicWall SMA appliances targeted in zero-day attacks (CVE-2026-15409, CVE-2026-15410)
SonicWall has fixed two actively exploited vulnerabilities (CVE-2026-15409, CVE-2026-15410) affecting its Secure Mobile Access (SMA) 1000 Series appliances, and is urging customer organizations to upgrade to a fixed firmare version and search for evidence of potential compromise.

If the outlined indicators of compromise are present on the system, the company advises re-imaging (hardware) or re-deploying (virtual) appliances, changing user and administrator passwords, and resetting TOTP tokens.
The vulnerabilities
SonicWall SMA 1000 series appliances are secure remote access (SSL VPN) gateways designed for medium-to-large businesses, multinationals, government agencies, and managed security service providers.
CVE-2026-15409 is a critical server-side request forgery (SSRF) flaw in the SMA1000 Appliance Work Place interface, which may allow remote unauthenticated attackers to “cause the appliance to make requests to unintended location.”
The high-severity code injection flaw in the SMA1000 Appliance Management Console (CVE-2026-15410) may allow remote attackers authenticated as an admin to execute arbitrary OS commands and achieve remote code execution.
In attacks observed so far, the two bugs are being exploited in tandem.
“We have confirmed that these vulnerabilities are being actively exploited in the wild and are not unique to SonicWall,” a company spokesperson told us, and said that upon discovery, the company investigated the issue, developed and released a firmware patch, and notified impacted customers.
SonicWall sent an alert to customers in advance of the publication of the security advisory, advising them to get in touch with SonicWall Support to receive the hotfixes (v12.4.3-03453 and 12.5.0-02835) before they are made available to the company site on July 14, 2026.
The company also developed a script they can run on behalf of affected customers to assist with resolution, and mitigation efforts are already underway, the spokesperson added. “Our support team is assisting customers through instances of suspicious activity on a case-by-case basis.”
Patching alone is not sufficient
SonicWall SMA appliances and firewalls are often targeted by attackers, sometimes by exploiting zero-day, other times by leveraging old, previously known vulnerabilities.
CVE-2026-15409 and CVE-2026-15410 affect SonicWall’s SMA6210, SMA7210, and SMA8200v appliances. Affected firmware (platform-hotfix) versions are:
- 12.4.3-03245
- 12.4.3-03387
- 12.4.3-03434
- 12.5.0-02283
- 12.5.0-02624
- 12.5.0-02800
“It is important that customers understand patching alone is not sufficient. Even after applying the update, we strongly recommend reviewing logs for indicators of compromise and following the guidance in our KB article closely,” the spokesperson stressed.
Adam Babis of SonicWall PSIRT has been credited with discovering and reporting the two vulnerabilities.
UPDATE (July 15, 2026, 02:30 a.m. ET):
With an update of the security advisory, SonicWall also credited Sean Koessel and Steven Adair, researchers and co-founders of Volexity, with helping advance SonicWall’s PSIRT investigation and expanding the IOC list.
CISA has added the two flaws to its Known Exploited Vulnerabilities catalog, and ordered US federal civilian agencies to address the vulnerability by July 17, 2026, and investigate whether their appliances have been exploited.
UPDATE (July 16, 2026, 03:30 a.m. ET):
Rapid7 says that prior to SonicWall’s official vulnerability disclosure, its Managed Detection and Response team observed the zero-day exploitation activity against internet-facing SMA 1000-series appliances.
The attackers are exploiting the flaws to compromise the appliances for stealthy initial access and, once they established a foothold, they extract high-value credentials, active session databases, and TOTP multi-factor authentication seed configurations, to ensure long-term access.
Then they move further afield.
“Specifically, we observed a sequence of anomalous, VPN-less Active Directory authentications targeting core domain controllers. These authentications originated directly from the appliance’s internal IP address, using atypical, non-corporate workstation client names (such as kali or other non-inventory hostnames) under the context of the appliance’s integrated LDAP service account. This unique behavior of direct, machine-level lateral movement with no corresponding active VPN tunnel confirmed that the appliance itself had been fully compromised and was acting as an unmonitored backdoor into the corporate directory infrastructure,” Rapid7 added.
The company has outlined specific log patterns, IoCs and artifacts that point to compromise, and has released a proof-of-concept for CVE-2026-15409 that can be used for exposure validation.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
