New at Horizon3.ai

SonicWall SMA1000 Server-Side Request Forgery and Code Injection Vulnerabilities

CVE-2026-15409 and CVE-2026-15410 are actively exploited vulnerabilities affecting SonicWall Secure Mobile Access 1000 Series appliances. CVE-2026-15409 is a critical pre-authentication server-side request forgery vulnerability that can allow an unauthenticated attacker to reach services bound to the appliance’s local interface. CVE-2026-15410 is a post-authentication code injection vulnerability that can allow an attacker with administrator-level access to execute arbitrary operating system commands. The vulnerabilities have CVSS v3 scores of 10.0 (Critical) and 7.2 (High), respectively, and both have been added to CISA’s Known Exploited Vulnerabilities Catalog.

Technical Details

CVE-2026-15409 is a server-side request forgery vulnerability in the SonicWall SMA1000 Appliance Work Place interface. A remote, unauthenticated attacker can exploit the vulnerability to cause the appliance to make requests to unintended locations.

CVE-2026-15410 is a code injection vulnerability in the SMA1000 Appliance Management Console. Under specific conditions, a remote authenticated attacker with administrator privileges can execute arbitrary operating system commands. 

Attackers have been observed chaining the vulnerabilities. CVE-2026-15409 provides unauthenticated access to the internal service required to reach CVE-2026-15410, which can then be exploited to execute commands on the appliance. This chain can result in unauthenticated operating system command execution and full compromise of the affected device.

CVE-2026-15409

CVSS v3: 10.0 (Critical)
Vulnerability type: Server-Side Request Forgery
Affected component: Appliance Work Place interface
Attack vector: Network
Authentication required: None
Impact: Access to unintended locations, including services reachable only from the appliance

CVE-2026-15410

CVSS v3: 7.2 (High)
Vulnerability type: Code Injection
Affected component: Appliance Management Console
Attack vector: Network
Authentication required: Administrator privileges under the vendor-described attack model
Impact: Arbitrary operating system command execution

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether these vulnerabilities can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

  • Run the Rapid Response test: Launch from the NodeZero platform to determine whether CVE-2026-15409 or CVE-2026-15410 can be exploited.
  • Patch immediately: Upgrade affected SMA1000 appliances to a fixed platform hotfix and perform the forensic review recommended by SonicWall.
  • Re-run the test: Confirm the vulnerabilities are no longer exploitable after remediation.

Indicators of Compromise

SonicWall has published the following indicators associated with the active exploitation investigated under its advisory for CVE-2026-15409 and CVE-2026-15410.

Indicator TypeDescription
Log entryRequests to /__api__/login or /__api__/logout with an HTTP 200 status in extraweb_access.log
Log entryRequests to /wsproxy containing suspicious host parameters with an HTTP 101 status in extraweb_access.log
Log entryHotfix rollback activity containing path traversal names in ctrl-service.log
Configuration fileRoutes for /__api__/login or /__api__/logout in /var/lib/unit/conf.json; these routes are not part of a legitimate configuration

Organizations that identify any of these indicators should follow SonicWall’s incident-response guidance. SonicWall recommends re-imaging affected physical appliances or redeploying virtual appliances, changing user and administrator passwords, and resetting time-based one-time password tokens.

Affected Versions & Patch

Affected

The vulnerabilities affect SonicWall SMA1000 Series appliances running vulnerable builds in the 12.4.3 and 12.5.0 firmware branches, including the following builds identified by SonicWall:

  • 12.4.3-03245
  • 12.4.3-03387
  • 12.4.3-03434
  • 12.5.0-02283
  • 12.5.0-02624
  • 12.5.0-02800

Affected products include supported SMA1000 physical appliances, virtual appliances, and Central Management Server deployments covered by the SonicWall advisory.

Fixed

SonicWall has released the following fixed platform hotfix versions:

  • 12.4.3-03453 and later
  • 12.5.0-02835 and later

Organizations should install the latest available platform hotfix rather than remaining on an earlier build in either firmware branch.

Mitigations

SonicWall has not identified a workaround that replaces installing the fixed platform hotfix. Organizations should patch immediately and perform a thorough forensic analysis to determine whether an appliance was compromised before remediation.

Where compromise is suspected or confirmed, SonicWall recommends:

  • Re-image physical appliances or redeploy virtual appliances.
  • Change all user and administrator passwords.
  • Reset time-based one-time password tokens.
  • Review appliance configuration and logs for the published indicators of compromise.

Timeline

  • Late June 2026: Reports of targeted exploitation of internet-facing SonicWall SMA1000 appliances.
  • July 13, 2026: SonicWall published its product notice regarding actively exploited vulnerabilities affecting SMA1000 Series appliances.
  • July 14, 2026: SonicWall published PSIRT advisory SNWLID-2026-0008 for CVE-2026-15409 and CVE-2026-15410 and released fixed platform hotfix builds.
  • July 14, 2026: CISA added both vulnerabilities to its Known Exploited Vulnerabilities Catalog and established a July 17, 2026 remediation deadline for Federal Civilian Executive Branch agencies.
  • July 16, 2026: Horizon3.ai released NodeZero Rapid Response tests for CVE-2026-15409 and CVE-2026-15410.

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By