SonicWall SMA1000 Server-Side Request Forgery and Code Injection Vulnerabilities
CVE-2026-15409 and CVE-2026-15410 are actively exploited vulnerabilities affecting SonicWall Secure Mobile Access 1000 Series appliances. CVE-2026-15409 is a critical pre-authentication server-side request forgery vulnerability that can allow an unauthenticated attacker to reach services bound to the appliance’s local interface. CVE-2026-15410 is a post-authentication code injection vulnerability that can allow an attacker with administrator-level access to execute arbitrary operating system commands. The vulnerabilities have CVSS v3 scores of 10.0 (Critical) and 7.2 (High), respectively, and both have been added to CISA’s Known Exploited Vulnerabilities Catalog.
Technical Details
CVE-2026-15409 is a server-side request forgery vulnerability in the SonicWall SMA1000 Appliance Work Place interface. A remote, unauthenticated attacker can exploit the vulnerability to cause the appliance to make requests to unintended locations.
CVE-2026-15410 is a code injection vulnerability in the SMA1000 Appliance Management Console. Under specific conditions, a remote authenticated attacker with administrator privileges can execute arbitrary operating system commands.
Attackers have been observed chaining the vulnerabilities. CVE-2026-15409 provides unauthenticated access to the internal service required to reach CVE-2026-15410, which can then be exploited to execute commands on the appliance. This chain can result in unauthenticated operating system command execution and full compromise of the affected device.
CVE-2026-15409
CVSS v3: 10.0 (Critical)
Vulnerability type: Server-Side Request Forgery
Affected component: Appliance Work Place interface
Attack vector: Network
Authentication required: None
Impact: Access to unintended locations, including services reachable only from the appliance
CVE-2026-15410
CVSS v3: 7.2 (High)
Vulnerability type: Code Injection
Affected component: Appliance Management Console
Attack vector: Network
Authentication required: Administrator privileges under the vendor-described attack model
Impact: Arbitrary operating system command execution
NodeZero® Proactive Security Platform — Rapid Response
A NodeZero Rapid Response test has been developed to safely validate whether these vulnerabilities can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.
- Run the Rapid Response test: Launch from the NodeZero platform to determine whether CVE-2026-15409 or CVE-2026-15410 can be exploited.
- Patch immediately: Upgrade affected SMA1000 appliances to a fixed platform hotfix and perform the forensic review recommended by SonicWall.
- Re-run the test: Confirm the vulnerabilities are no longer exploitable after remediation.
Indicators of Compromise
SonicWall has published the following indicators associated with the active exploitation investigated under its advisory for CVE-2026-15409 and CVE-2026-15410.
| Indicator Type | Description |
| Log entry | Requests to /__api__/login or /__api__/logout with an HTTP 200 status in extraweb_access.log |
| Log entry | Requests to /wsproxy containing suspicious host parameters with an HTTP 101 status in extraweb_access.log |
| Log entry | Hotfix rollback activity containing path traversal names in ctrl-service.log |
| Configuration file | Routes for /__api__/login or /__api__/logout in /var/lib/unit/conf.json; these routes are not part of a legitimate configuration |
Organizations that identify any of these indicators should follow SonicWall’s incident-response guidance. SonicWall recommends re-imaging affected physical appliances or redeploying virtual appliances, changing user and administrator passwords, and resetting time-based one-time password tokens.
Affected Versions & Patch
Affected
The vulnerabilities affect SonicWall SMA1000 Series appliances running vulnerable builds in the 12.4.3 and 12.5.0 firmware branches, including the following builds identified by SonicWall:
- 12.4.3-03245
- 12.4.3-03387
- 12.4.3-03434
- 12.5.0-02283
- 12.5.0-02624
- 12.5.0-02800
Affected products include supported SMA1000 physical appliances, virtual appliances, and Central Management Server deployments covered by the SonicWall advisory.
Fixed
SonicWall has released the following fixed platform hotfix versions:
- 12.4.3-03453 and later
- 12.5.0-02835 and later
Organizations should install the latest available platform hotfix rather than remaining on an earlier build in either firmware branch.
Mitigations
SonicWall has not identified a workaround that replaces installing the fixed platform hotfix. Organizations should patch immediately and perform a thorough forensic analysis to determine whether an appliance was compromised before remediation.
Where compromise is suspected or confirmed, SonicWall recommends:
- Re-image physical appliances or redeploy virtual appliances.
- Change all user and administrator passwords.
- Reset time-based one-time password tokens.
- Review appliance configuration and logs for the published indicators of compromise.
Timeline
- Late June 2026: Reports of targeted exploitation of internet-facing SonicWall SMA1000 appliances.
- July 13, 2026: SonicWall published its product notice regarding actively exploited vulnerabilities affecting SMA1000 Series appliances.
- July 14, 2026: SonicWall published PSIRT advisory SNWLID-2026-0008 for CVE-2026-15409 and CVE-2026-15410 and released fixed platform hotfix builds.
- July 14, 2026: CISA added both vulnerabilities to its Known Exploited Vulnerabilities Catalog and established a July 17, 2026 remediation deadline for Federal Civilian Executive Branch agencies.
- July 16, 2026: Horizon3.ai released NodeZero Rapid Response tests for CVE-2026-15409 and CVE-2026-15410.