Skip to content

SonicWall SMA1000 zero-days chained: CISA adds CVE-2026-15409 and 15410 to KEV

CISA added SonicWall SMA1000 zero-days CVE-2026-15409 (SSRF, CVSS 10.0) and CVE-2026-15410 to KEV on July 14, chained by Rapid7 MDR. Federal deadline July 17.

Published 3 min read

SonicWall confirmed active exploitation of two SMA 1000 Series zero-days after Rapid7's MDR team observed the chain in internet-facing appliances. CVE-2026-15409 is an unauthenticated SSRF in the Appliance Work Place interface, rated CVSS 10.0. CVE-2026-15410 is a post-authentication OS command injection in the Appliance Management Console, rated CVSS 7.2. CISA added both to the Known Exploited Vulnerabilities catalog on July 14, 2026, with a July 17 BOD 26-04 remediation deadline for federal civilian agencies. There is no workaround; patching is the only fix.

Affected products

Per the SonicWall product notice:

  • SMA 6210, SMA 7210, SMA 8200v
  • Firmware: 12.4.3 branch through 12.4.3-03434, and 12.5.0 branch through 12.5.0-02800.

SMA 100 Series appliances (200/210/400/410/500v) are not in scope of this notice.

Patched builds

  • 12.4.3-03453 platform-hotfix or later.
  • 12.5.0-02835 platform-hotfix or later.

Both are available on mysonicwall.com. SonicWall states no workaround exists — patching is the only complete remediation.

The chain

Rapid7's MDR write-up, which triggered the vendor disclosure, describes the two bugs used in tandem:

  1. CVE-2026-15409 — the SSRF primitive lets an unauthenticated remote attacker force the appliance to open a websocket-based tunnel to arbitrary localhost-only services and reach internal network segments that would normally be shielded.
  2. CVE-2026-15410 — the post-auth code injection in the Management Console. Reachable via a localhost service on port 8188, a path-traversal in the remove_hotfix workflow executes arbitrary OS commands as root.

Combined, an unauthenticated internet attacker reaches root on the appliance without needing a valid credential. That is why CISA treats these as a paired KEV addition rather than two separate entries.

Detection artefacts

Rapid7's blog publishes the following IOCs. Reproduce them on your appliance's logs verbatim:

extraweb_access.log
  requests to /__api__/login or /__api__/logout returning HTTP 200
  requests to /wsproxy with suspicious host parameters returning HTTP 101

ctrl-service.log
  hotfix rollbacks whose names contain path-traversal sequences

/var/lib/unit/conf.json
  routes for /__api__/login or /__api__/logout
  (these URIs do not exist in a legitimate configuration)

Neither SonicWall nor CISA has published YARA, Sigma, or Snort artefacts as of writing. Rapid7's log-string set is the only detection package in circulation from the disclosing party.

Action checklist

  1. Upgrade every SMA 1000 appliance to 12.4.3-03453 or 12.5.0-02835 (or later) from mysonicwall.com. Federal civilian agencies must meet the July 17, 2026 BOD 26-04 deadline for both CVEs, or discontinue the product.
  2. Hunt the four Rapid7 IOCs on any appliance that has been internet-reachable prior to patching. Pull extraweb_access.log, ctrl-service.log, and /var/lib/unit/conf.json and grep for the strings above. A hit on any of them is treated as compromise.
  3. If compromise is confirmed, follow SonicWall's response guidance: re-image physical appliances or redeploy virtual appliances from a clean image, then rotate every user and administrator password and reset TOTP tokens. Patching alone does not evict the attacker.
  4. Take the Work Place interface off the public internet wherever the workload allows while the audit runs. The unauthenticated SSRF primitive gets an attacker the tunnel; removing exposure removes the primitive.
  5. Preserve appliance disk images before re-imaging if compromise is suspected. Rapid7's IOCs cover the initial-access chain but not any second-stage tooling an operator may have staged from root.

Context

The SMA 1000 line has now shipped an actively-exploited chain twice in eighteen months — the January 2025 SMA1000 CVE-2025-23006 deserialization RCE also landed in KEV and drew a Rapid7 MDR advisory. The pattern — an internet-facing SSL-VPN appliance where a Work Place primitive tunnels into an admin-only Management Console — is what makes the paired disclosure land at CVSS 10.0. The July 14 KEV batch also includes CVE-2026-56155 (ADFS) and CVE-2026-56164 (SharePoint), covered in yesterday's post; federal-civilian remediation deadlines for all four converge on July 17.

Related stories